28 * Packet type contexts, so that ssh2_pkt_type can correctly decode
29 * the ambiguous type numbers back into the correct type strings.
39 SSH2_PKTCTX_PUBLICKEY,
45 static const char *const ssh2_disconnect_reasons[] = {
47 "host not allowed to connect",
49 "key exchange failed",
50 "host authentication failed",
53 "service not available",
54 "protocol version not supported",
55 "host key not verifiable",
58 "too many connections",
59 "auth cancelled by user",
60 "no more auth methods available",
65 * Various remote-bug flags.
67 #define BUG_CHOKES_ON_SSH1_IGNORE 1
68 #define BUG_SSH2_HMAC 2
69 #define BUG_NEEDS_SSH1_PLAIN_PASSWORD 4
70 #define BUG_CHOKES_ON_RSA 8
71 #define BUG_SSH2_RSA_PADDING 16
72 #define BUG_SSH2_DERIVEKEY 32
73 #define BUG_SSH2_REKEY 64
74 #define BUG_SSH2_PK_SESSIONID 128
75 #define BUG_SSH2_MAXPKT 256
76 #define BUG_CHOKES_ON_SSH2_IGNORE 512
77 #define BUG_CHOKES_ON_WINADJ 1024
78 #define BUG_SENDS_LATE_REQUEST_REPLY 2048
81 * Codes for terminal modes.
82 * Most of these are the same in SSH-1 and SSH-2.
83 * This list is derived from RFC 4254 and
87 const char* const mode;
89 enum { TTY_OP_CHAR, TTY_OP_BOOL } type;
91 /* "V" prefix discarded for special characters relative to SSH specs */
92 { "INTR", 1, TTY_OP_CHAR },
93 { "QUIT", 2, TTY_OP_CHAR },
94 { "ERASE", 3, TTY_OP_CHAR },
95 { "KILL", 4, TTY_OP_CHAR },
96 { "EOF", 5, TTY_OP_CHAR },
97 { "EOL", 6, TTY_OP_CHAR },
98 { "EOL2", 7, TTY_OP_CHAR },
99 { "START", 8, TTY_OP_CHAR },
100 { "STOP", 9, TTY_OP_CHAR },
101 { "SUSP", 10, TTY_OP_CHAR },
102 { "DSUSP", 11, TTY_OP_CHAR },
103 { "REPRINT", 12, TTY_OP_CHAR },
104 { "WERASE", 13, TTY_OP_CHAR },
105 { "LNEXT", 14, TTY_OP_CHAR },
106 { "FLUSH", 15, TTY_OP_CHAR },
107 { "SWTCH", 16, TTY_OP_CHAR },
108 { "STATUS", 17, TTY_OP_CHAR },
109 { "DISCARD", 18, TTY_OP_CHAR },
110 { "IGNPAR", 30, TTY_OP_BOOL },
111 { "PARMRK", 31, TTY_OP_BOOL },
112 { "INPCK", 32, TTY_OP_BOOL },
113 { "ISTRIP", 33, TTY_OP_BOOL },
114 { "INLCR", 34, TTY_OP_BOOL },
115 { "IGNCR", 35, TTY_OP_BOOL },
116 { "ICRNL", 36, TTY_OP_BOOL },
117 { "IUCLC", 37, TTY_OP_BOOL },
118 { "IXON", 38, TTY_OP_BOOL },
119 { "IXANY", 39, TTY_OP_BOOL },
120 { "IXOFF", 40, TTY_OP_BOOL },
121 { "IMAXBEL", 41, TTY_OP_BOOL },
122 { "ISIG", 50, TTY_OP_BOOL },
123 { "ICANON", 51, TTY_OP_BOOL },
124 { "XCASE", 52, TTY_OP_BOOL },
125 { "ECHO", 53, TTY_OP_BOOL },
126 { "ECHOE", 54, TTY_OP_BOOL },
127 { "ECHOK", 55, TTY_OP_BOOL },
128 { "ECHONL", 56, TTY_OP_BOOL },
129 { "NOFLSH", 57, TTY_OP_BOOL },
130 { "TOSTOP", 58, TTY_OP_BOOL },
131 { "IEXTEN", 59, TTY_OP_BOOL },
132 { "ECHOCTL", 60, TTY_OP_BOOL },
133 { "ECHOKE", 61, TTY_OP_BOOL },
134 { "PENDIN", 62, TTY_OP_BOOL }, /* XXX is this a real mode? */
135 { "OPOST", 70, TTY_OP_BOOL },
136 { "OLCUC", 71, TTY_OP_BOOL },
137 { "ONLCR", 72, TTY_OP_BOOL },
138 { "OCRNL", 73, TTY_OP_BOOL },
139 { "ONOCR", 74, TTY_OP_BOOL },
140 { "ONLRET", 75, TTY_OP_BOOL },
141 { "CS7", 90, TTY_OP_BOOL },
142 { "CS8", 91, TTY_OP_BOOL },
143 { "PARENB", 92, TTY_OP_BOOL },
144 { "PARODD", 93, TTY_OP_BOOL }
147 /* Miscellaneous other tty-related constants. */
148 #define SSH_TTY_OP_END 0
149 /* The opcodes for ISPEED/OSPEED differ between SSH-1 and SSH-2. */
150 #define SSH1_TTY_OP_ISPEED 192
151 #define SSH1_TTY_OP_OSPEED 193
152 #define SSH2_TTY_OP_ISPEED 128
153 #define SSH2_TTY_OP_OSPEED 129
155 /* Helper functions for parsing tty-related config. */
156 static unsigned int ssh_tty_parse_specchar(char *s)
161 ret = ctrlparse(s, &next);
162 if (!next) ret = s[0];
164 ret = 255; /* special value meaning "don't set" */
168 static unsigned int ssh_tty_parse_boolean(char *s)
170 if (stricmp(s, "yes") == 0 ||
171 stricmp(s, "on") == 0 ||
172 stricmp(s, "true") == 0 ||
173 stricmp(s, "+") == 0)
175 else if (stricmp(s, "no") == 0 ||
176 stricmp(s, "off") == 0 ||
177 stricmp(s, "false") == 0 ||
178 stricmp(s, "-") == 0)
179 return 0; /* false */
181 return (atoi(s) != 0);
184 #define translate(x) if (type == x) return #x
185 #define translatek(x,ctx) if (type == x && (pkt_kctx == ctx)) return #x
186 #define translatea(x,ctx) if (type == x && (pkt_actx == ctx)) return #x
187 static char *ssh1_pkt_type(int type)
189 translate(SSH1_MSG_DISCONNECT);
190 translate(SSH1_SMSG_PUBLIC_KEY);
191 translate(SSH1_CMSG_SESSION_KEY);
192 translate(SSH1_CMSG_USER);
193 translate(SSH1_CMSG_AUTH_RSA);
194 translate(SSH1_SMSG_AUTH_RSA_CHALLENGE);
195 translate(SSH1_CMSG_AUTH_RSA_RESPONSE);
196 translate(SSH1_CMSG_AUTH_PASSWORD);
197 translate(SSH1_CMSG_REQUEST_PTY);
198 translate(SSH1_CMSG_WINDOW_SIZE);
199 translate(SSH1_CMSG_EXEC_SHELL);
200 translate(SSH1_CMSG_EXEC_CMD);
201 translate(SSH1_SMSG_SUCCESS);
202 translate(SSH1_SMSG_FAILURE);
203 translate(SSH1_CMSG_STDIN_DATA);
204 translate(SSH1_SMSG_STDOUT_DATA);
205 translate(SSH1_SMSG_STDERR_DATA);
206 translate(SSH1_CMSG_EOF);
207 translate(SSH1_SMSG_EXIT_STATUS);
208 translate(SSH1_MSG_CHANNEL_OPEN_CONFIRMATION);
209 translate(SSH1_MSG_CHANNEL_OPEN_FAILURE);
210 translate(SSH1_MSG_CHANNEL_DATA);
211 translate(SSH1_MSG_CHANNEL_CLOSE);
212 translate(SSH1_MSG_CHANNEL_CLOSE_CONFIRMATION);
213 translate(SSH1_SMSG_X11_OPEN);
214 translate(SSH1_CMSG_PORT_FORWARD_REQUEST);
215 translate(SSH1_MSG_PORT_OPEN);
216 translate(SSH1_CMSG_AGENT_REQUEST_FORWARDING);
217 translate(SSH1_SMSG_AGENT_OPEN);
218 translate(SSH1_MSG_IGNORE);
219 translate(SSH1_CMSG_EXIT_CONFIRMATION);
220 translate(SSH1_CMSG_X11_REQUEST_FORWARDING);
221 translate(SSH1_CMSG_AUTH_RHOSTS_RSA);
222 translate(SSH1_MSG_DEBUG);
223 translate(SSH1_CMSG_REQUEST_COMPRESSION);
224 translate(SSH1_CMSG_AUTH_TIS);
225 translate(SSH1_SMSG_AUTH_TIS_CHALLENGE);
226 translate(SSH1_CMSG_AUTH_TIS_RESPONSE);
227 translate(SSH1_CMSG_AUTH_CCARD);
228 translate(SSH1_SMSG_AUTH_CCARD_CHALLENGE);
229 translate(SSH1_CMSG_AUTH_CCARD_RESPONSE);
232 static char *ssh2_pkt_type(Pkt_KCtx pkt_kctx, Pkt_ACtx pkt_actx, int type)
234 translatea(SSH2_MSG_USERAUTH_GSSAPI_RESPONSE,SSH2_PKTCTX_GSSAPI);
235 translatea(SSH2_MSG_USERAUTH_GSSAPI_TOKEN,SSH2_PKTCTX_GSSAPI);
236 translatea(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE,SSH2_PKTCTX_GSSAPI);
237 translatea(SSH2_MSG_USERAUTH_GSSAPI_ERROR,SSH2_PKTCTX_GSSAPI);
238 translatea(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK,SSH2_PKTCTX_GSSAPI);
239 translatea(SSH2_MSG_USERAUTH_GSSAPI_MIC, SSH2_PKTCTX_GSSAPI);
240 translate(SSH2_MSG_DISCONNECT);
241 translate(SSH2_MSG_IGNORE);
242 translate(SSH2_MSG_UNIMPLEMENTED);
243 translate(SSH2_MSG_DEBUG);
244 translate(SSH2_MSG_SERVICE_REQUEST);
245 translate(SSH2_MSG_SERVICE_ACCEPT);
246 translate(SSH2_MSG_KEXINIT);
247 translate(SSH2_MSG_NEWKEYS);
248 translatek(SSH2_MSG_KEXDH_INIT, SSH2_PKTCTX_DHGROUP);
249 translatek(SSH2_MSG_KEXDH_REPLY, SSH2_PKTCTX_DHGROUP);
250 translatek(SSH2_MSG_KEX_DH_GEX_REQUEST, SSH2_PKTCTX_DHGEX);
251 translatek(SSH2_MSG_KEX_DH_GEX_GROUP, SSH2_PKTCTX_DHGEX);
252 translatek(SSH2_MSG_KEX_DH_GEX_INIT, SSH2_PKTCTX_DHGEX);
253 translatek(SSH2_MSG_KEX_DH_GEX_REPLY, SSH2_PKTCTX_DHGEX);
254 translatek(SSH2_MSG_KEXRSA_PUBKEY, SSH2_PKTCTX_RSAKEX);
255 translatek(SSH2_MSG_KEXRSA_SECRET, SSH2_PKTCTX_RSAKEX);
256 translatek(SSH2_MSG_KEXRSA_DONE, SSH2_PKTCTX_RSAKEX);
257 translate(SSH2_MSG_USERAUTH_REQUEST);
258 translate(SSH2_MSG_USERAUTH_FAILURE);
259 translate(SSH2_MSG_USERAUTH_SUCCESS);
260 translate(SSH2_MSG_USERAUTH_BANNER);
261 translatea(SSH2_MSG_USERAUTH_PK_OK, SSH2_PKTCTX_PUBLICKEY);
262 translatea(SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ, SSH2_PKTCTX_PASSWORD);
263 translatea(SSH2_MSG_USERAUTH_INFO_REQUEST, SSH2_PKTCTX_KBDINTER);
264 translatea(SSH2_MSG_USERAUTH_INFO_RESPONSE, SSH2_PKTCTX_KBDINTER);
265 translate(SSH2_MSG_GLOBAL_REQUEST);
266 translate(SSH2_MSG_REQUEST_SUCCESS);
267 translate(SSH2_MSG_REQUEST_FAILURE);
268 translate(SSH2_MSG_CHANNEL_OPEN);
269 translate(SSH2_MSG_CHANNEL_OPEN_CONFIRMATION);
270 translate(SSH2_MSG_CHANNEL_OPEN_FAILURE);
271 translate(SSH2_MSG_CHANNEL_WINDOW_ADJUST);
272 translate(SSH2_MSG_CHANNEL_DATA);
273 translate(SSH2_MSG_CHANNEL_EXTENDED_DATA);
274 translate(SSH2_MSG_CHANNEL_EOF);
275 translate(SSH2_MSG_CHANNEL_CLOSE);
276 translate(SSH2_MSG_CHANNEL_REQUEST);
277 translate(SSH2_MSG_CHANNEL_SUCCESS);
278 translate(SSH2_MSG_CHANNEL_FAILURE);
284 /* Enumeration values for fields in SSH-1 packets */
286 PKT_END, PKT_INT, PKT_CHAR, PKT_DATA, PKT_STR, PKT_BIGNUM,
290 * Coroutine mechanics for the sillier bits of the code. If these
291 * macros look impenetrable to you, you might find it helpful to
294 * http://www.chiark.greenend.org.uk/~sgtatham/coroutines.html
296 * which explains the theory behind these macros.
298 * In particular, if you are getting `case expression not constant'
299 * errors when building with MS Visual Studio, this is because MS's
300 * Edit and Continue debugging feature causes their compiler to
301 * violate ANSI C. To disable Edit and Continue debugging:
303 * - right-click ssh.c in the FileView
305 * - select the C/C++ tab and the General category
306 * - under `Debug info:', select anything _other_ than `Program
307 * Database for Edit and Continue'.
309 #define crBegin(v) { int *crLine = &v; switch(v) { case 0:;
310 #define crBeginState crBegin(s->crLine)
311 #define crStateP(t, v) \
313 if (!(v)) { s = (v) = snew(struct t); s->crLine = 0; } \
315 #define crState(t) crStateP(t, ssh->t)
316 #define crFinish(z) } *crLine = 0; return (z); }
317 #define crFinishV } *crLine = 0; return; }
318 #define crFinishFree(z) } sfree(s); return (z); }
319 #define crFinishFreeV } sfree(s); return; }
320 #define crReturn(z) \
322 *crLine =__LINE__; return (z); case __LINE__:;\
326 *crLine=__LINE__; return; case __LINE__:;\
328 #define crStop(z) do{ *crLine = 0; return (z); }while(0)
329 #define crStopV do{ *crLine = 0; return; }while(0)
330 #define crWaitUntil(c) do { crReturn(0); } while (!(c))
331 #define crWaitUntilV(c) do { crReturnV; } while (!(c))
335 static struct Packet *ssh1_pkt_init(int pkt_type);
336 static struct Packet *ssh2_pkt_init(int pkt_type);
337 static void ssh_pkt_ensure(struct Packet *, int length);
338 static void ssh_pkt_adddata(struct Packet *, const void *data, int len);
339 static void ssh_pkt_addbyte(struct Packet *, unsigned char value);
340 static void ssh2_pkt_addbool(struct Packet *, unsigned char value);
341 static void ssh_pkt_adduint32(struct Packet *, unsigned long value);
342 static void ssh_pkt_addstring_start(struct Packet *);
343 static void ssh_pkt_addstring_str(struct Packet *, const char *data);
344 static void ssh_pkt_addstring_data(struct Packet *, const char *data, int len);
345 static void ssh_pkt_addstring(struct Packet *, const char *data);
346 static unsigned char *ssh2_mpint_fmt(Bignum b, int *len);
347 static void ssh1_pkt_addmp(struct Packet *, Bignum b);
348 static void ssh2_pkt_addmp(struct Packet *, Bignum b);
349 static int ssh2_pkt_construct(Ssh, struct Packet *);
350 static void ssh2_pkt_send(Ssh, struct Packet *);
351 static void ssh2_pkt_send_noqueue(Ssh, struct Packet *);
352 static int do_ssh1_login(Ssh ssh, unsigned char *in, int inlen,
353 struct Packet *pktin);
354 static void do_ssh2_authconn(Ssh ssh, unsigned char *in, int inlen,
355 struct Packet *pktin);
356 static void ssh2_channel_check_close(struct ssh_channel *c);
357 static void ssh_channel_destroy(struct ssh_channel *c);
360 * Buffer management constants. There are several of these for
361 * various different purposes:
363 * - SSH1_BUFFER_LIMIT is the amount of backlog that must build up
364 * on a local data stream before we throttle the whole SSH
365 * connection (in SSH-1 only). Throttling the whole connection is
366 * pretty drastic so we set this high in the hope it won't
369 * - SSH_MAX_BACKLOG is the amount of backlog that must build up
370 * on the SSH connection itself before we defensively throttle
371 * _all_ local data streams. This is pretty drastic too (though
372 * thankfully unlikely in SSH-2 since the window mechanism should
373 * ensure that the server never has any need to throttle its end
374 * of the connection), so we set this high as well.
376 * - OUR_V2_WINSIZE is the maximum window size we present on SSH-2
379 * - OUR_V2_BIGWIN is the window size we advertise for the only
380 * channel in a simple connection. It must be <= INT_MAX.
382 * - OUR_V2_MAXPKT is the official "maximum packet size" we send
383 * to the remote side. This actually has nothing to do with the
384 * size of the _packet_, but is instead a limit on the amount
385 * of data we're willing to receive in a single SSH2 channel
388 * - OUR_V2_PACKETLIMIT is actually the maximum size of SSH
389 * _packet_ we're prepared to cope with. It must be a multiple
390 * of the cipher block size, and must be at least 35000.
393 #define SSH1_BUFFER_LIMIT 32768
394 #define SSH_MAX_BACKLOG 32768
395 #define OUR_V2_WINSIZE 16384
396 #define OUR_V2_BIGWIN 0x7fffffff
397 #define OUR_V2_MAXPKT 0x4000UL
398 #define OUR_V2_PACKETLIMIT 0x9000UL
400 const static struct ssh_signkey *hostkey_algs[] = { &ssh_rsa, &ssh_dss };
402 const static struct ssh_mac *macs[] = {
403 &ssh_hmac_sha256, &ssh_hmac_sha1, &ssh_hmac_sha1_96, &ssh_hmac_md5
405 const static struct ssh_mac *buggymacs[] = {
406 &ssh_hmac_sha1_buggy, &ssh_hmac_sha1_96_buggy, &ssh_hmac_md5
409 static void *ssh_comp_none_init(void)
413 static void ssh_comp_none_cleanup(void *handle)
416 static int ssh_comp_none_block(void *handle, unsigned char *block, int len,
417 unsigned char **outblock, int *outlen)
421 static int ssh_comp_none_disable(void *handle)
425 const static struct ssh_compress ssh_comp_none = {
427 ssh_comp_none_init, ssh_comp_none_cleanup, ssh_comp_none_block,
428 ssh_comp_none_init, ssh_comp_none_cleanup, ssh_comp_none_block,
429 ssh_comp_none_disable, NULL
431 extern const struct ssh_compress ssh_zlib;
432 const static struct ssh_compress *compressions[] = {
433 &ssh_zlib, &ssh_comp_none
436 enum { /* channel types */
441 CHAN_SOCKDATA_DORMANT, /* one the remote hasn't confirmed */
443 * CHAN_SHARING indicates a channel which is tracked here on
444 * behalf of a connection-sharing downstream. We do almost nothing
445 * with these channels ourselves: all messages relating to them
446 * get thrown straight to sshshare.c and passed on almost
447 * unmodified to downstream.
451 * CHAN_ZOMBIE is used to indicate a channel for which we've
452 * already destroyed the local data source: for instance, if a
453 * forwarded port experiences a socket error on the local side, we
454 * immediately destroy its local socket and turn the SSH channel
460 typedef void (*handler_fn_t)(Ssh ssh, struct Packet *pktin);
461 typedef void (*chandler_fn_t)(Ssh ssh, struct Packet *pktin, void *ctx);
462 typedef void (*cchandler_fn_t)(struct ssh_channel *, struct Packet *, void *);
465 * Each channel has a queue of outstanding CHANNEL_REQUESTS and their
468 struct outstanding_channel_request {
469 cchandler_fn_t handler;
471 struct outstanding_channel_request *next;
475 * 2-3-4 tree storing channels.
478 Ssh ssh; /* pointer back to main context */
479 unsigned remoteid, localid;
481 /* True if we opened this channel but server hasn't confirmed. */
484 * In SSH-1, this value contains four bits:
486 * 1 We have sent SSH1_MSG_CHANNEL_CLOSE.
487 * 2 We have sent SSH1_MSG_CHANNEL_CLOSE_CONFIRMATION.
488 * 4 We have received SSH1_MSG_CHANNEL_CLOSE.
489 * 8 We have received SSH1_MSG_CHANNEL_CLOSE_CONFIRMATION.
491 * A channel is completely finished with when all four bits are set.
493 * In SSH-2, the four bits mean:
495 * 1 We have sent SSH2_MSG_CHANNEL_EOF.
496 * 2 We have sent SSH2_MSG_CHANNEL_CLOSE.
497 * 4 We have received SSH2_MSG_CHANNEL_EOF.
498 * 8 We have received SSH2_MSG_CHANNEL_CLOSE.
500 * A channel is completely finished with when we have both sent
501 * and received CLOSE.
503 * The symbolic constants below use the SSH-2 terminology, which
504 * is a bit confusing in SSH-1, but we have to use _something_.
506 #define CLOSES_SENT_EOF 1
507 #define CLOSES_SENT_CLOSE 2
508 #define CLOSES_RCVD_EOF 4
509 #define CLOSES_RCVD_CLOSE 8
513 * This flag indicates that an EOF is pending on the outgoing side
514 * of the channel: that is, wherever we're getting the data for
515 * this channel has sent us some data followed by EOF. We can't
516 * actually send the EOF until we've finished sending the data, so
517 * we set this flag instead to remind us to do so once our buffer
523 * True if this channel is causing the underlying connection to be
528 struct ssh2_data_channel {
530 unsigned remwindow, remmaxpkt;
531 /* locwindow is signed so we can cope with excess data. */
532 int locwindow, locmaxwin;
534 * remlocwin is the amount of local window that we think
535 * the remote end had available to it after it sent the
536 * last data packet or window adjust ack.
540 * These store the list of channel requests that haven't
543 struct outstanding_channel_request *chanreq_head, *chanreq_tail;
544 enum { THROTTLED, UNTHROTTLING, UNTHROTTLED } throttle_state;
548 struct ssh_agent_channel {
549 unsigned char *message;
550 unsigned char msglen[4];
551 unsigned lensofar, totallen;
552 int outstanding_requests;
554 struct ssh_x11_channel {
555 struct X11Connection *xconn;
558 struct ssh_pfd_channel {
559 struct PortForwarding *pf;
561 struct ssh_sharing_channel {
568 * 2-3-4 tree storing remote->local port forwardings. SSH-1 and SSH-2
569 * use this structure in different ways, reflecting SSH-2's
570 * altogether saner approach to port forwarding.
572 * In SSH-1, you arrange a remote forwarding by sending the server
573 * the remote port number, and the local destination host:port.
574 * When a connection comes in, the server sends you back that
575 * host:port pair, and you connect to it. This is a ready-made
576 * security hole if you're not on the ball: a malicious server
577 * could send you back _any_ host:port pair, so if you trustingly
578 * connect to the address it gives you then you've just opened the
579 * entire inside of your corporate network just by connecting
580 * through it to a dodgy SSH server. Hence, we must store a list of
581 * host:port pairs we _are_ trying to forward to, and reject a
582 * connection request from the server if it's not in the list.
584 * In SSH-2, each side of the connection minds its own business and
585 * doesn't send unnecessary information to the other. You arrange a
586 * remote forwarding by sending the server just the remote port
587 * number. When a connection comes in, the server tells you which
588 * of its ports was connected to; and _you_ have to remember what
589 * local host:port pair went with that port number.
591 * Hence, in SSH-1 this structure is indexed by destination
592 * host:port pair, whereas in SSH-2 it is indexed by source port.
594 struct ssh_portfwd; /* forward declaration */
596 struct ssh_rportfwd {
597 unsigned sport, dport;
601 struct ssh_portfwd *pfrec;
604 static void free_rportfwd(struct ssh_rportfwd *pf)
607 sfree(pf->sportdesc);
615 * Separately to the rportfwd tree (which is for looking up port
616 * open requests from the server), a tree of _these_ structures is
617 * used to keep track of all the currently open port forwardings,
618 * so that we can reconfigure in mid-session if the user requests
622 enum { DESTROY, KEEP, CREATE } status;
624 unsigned sport, dport;
627 struct ssh_rportfwd *remote;
629 struct PortListener *local;
631 #define free_portfwd(pf) ( \
632 ((pf) ? (sfree((pf)->saddr), sfree((pf)->daddr), \
633 sfree((pf)->sserv), sfree((pf)->dserv)) : (void)0 ), sfree(pf) )
636 long length; /* length of packet: see below */
637 long forcepad; /* SSH-2: force padding to at least this length */
638 int type; /* only used for incoming packets */
639 unsigned long sequence; /* SSH-2 incoming sequence number */
640 unsigned char *data; /* allocated storage */
641 unsigned char *body; /* offset of payload within `data' */
642 long savedpos; /* dual-purpose saved packet position: see below */
643 long maxlen; /* amount of storage allocated for `data' */
644 long encrypted_len; /* for SSH-2 total-size counting */
647 * A note on the 'length' and 'savedpos' fields above.
649 * Incoming packets are set up so that pkt->length is measured
650 * relative to pkt->body, which itself points to a few bytes after
651 * pkt->data (skipping some uninteresting header fields including
652 * the packet type code). The ssh_pkt_get* functions all expect
653 * this setup, and they also use pkt->savedpos to indicate how far
654 * through the packet being decoded they've got - and that, too,
655 * is an offset from pkt->body rather than pkt->data.
657 * During construction of an outgoing packet, however, pkt->length
658 * is measured relative to the base pointer pkt->data, and
659 * pkt->body is not really used for anything until the packet is
660 * ready for sending. In this mode, pkt->savedpos is reused as a
661 * temporary variable by the addstring functions, which write out
662 * a string length field and then keep going back and updating it
663 * as more data is appended to the subsequent string data field;
664 * pkt->savedpos stores the offset (again relative to pkt->data)
665 * of the start of the string data field.
668 /* Extra metadata used in SSH packet logging mode, allowing us to
669 * log in the packet header line that the packet came from a
670 * connection-sharing downstream and what if anything unusual was
671 * done to it. The additional_log_text field is expected to be a
672 * static string - it will not be freed. */
673 unsigned downstream_id;
674 const char *additional_log_text;
677 static void ssh1_protocol(Ssh ssh, void *vin, int inlen,
678 struct Packet *pktin);
679 static void ssh2_protocol(Ssh ssh, void *vin, int inlen,
680 struct Packet *pktin);
681 static void ssh2_bare_connection_protocol(Ssh ssh, void *vin, int inlen,
682 struct Packet *pktin);
683 static void ssh1_protocol_setup(Ssh ssh);
684 static void ssh2_protocol_setup(Ssh ssh);
685 static void ssh2_bare_connection_protocol_setup(Ssh ssh);
686 static void ssh_size(void *handle, int width, int height);
687 static void ssh_special(void *handle, Telnet_Special);
688 static int ssh2_try_send(struct ssh_channel *c);
689 static void ssh2_add_channel_data(struct ssh_channel *c, char *buf, int len);
690 static void ssh_throttle_all(Ssh ssh, int enable, int bufsize);
691 static void ssh2_set_window(struct ssh_channel *c, int newwin);
692 static int ssh_sendbuffer(void *handle);
693 static int ssh_do_close(Ssh ssh, int notify_exit);
694 static unsigned long ssh_pkt_getuint32(struct Packet *pkt);
695 static int ssh2_pkt_getbool(struct Packet *pkt);
696 static void ssh_pkt_getstring(struct Packet *pkt, char **p, int *length);
697 static void ssh2_timer(void *ctx, unsigned long now);
698 static void do_ssh2_transport(Ssh ssh, void *vin, int inlen,
699 struct Packet *pktin);
700 static void ssh2_msg_unexpected(Ssh ssh, struct Packet *pktin);
702 struct rdpkt1_state_tag {
703 long len, pad, biglen, to_read;
704 unsigned long realcrc, gotcrc;
708 struct Packet *pktin;
711 struct rdpkt2_state_tag {
712 long len, pad, payload, packetlen, maclen;
715 unsigned long incoming_sequence;
716 struct Packet *pktin;
719 struct rdpkt2_bare_state_tag {
723 unsigned long incoming_sequence;
724 struct Packet *pktin;
727 struct queued_handler;
728 struct queued_handler {
730 chandler_fn_t handler;
732 struct queued_handler *next;
736 const struct plug_function_table *fn;
737 /* the above field _must_ be first in the structure */
747 unsigned char session_key[32];
749 int v1_remote_protoflags;
750 int v1_local_protoflags;
751 int agentfwd_enabled;
754 const struct ssh_cipher *cipher;
757 const struct ssh2_cipher *cscipher, *sccipher;
758 void *cs_cipher_ctx, *sc_cipher_ctx;
759 const struct ssh_mac *csmac, *scmac;
760 void *cs_mac_ctx, *sc_mac_ctx;
761 const struct ssh_compress *cscomp, *sccomp;
762 void *cs_comp_ctx, *sc_comp_ctx;
763 const struct ssh_kex *kex;
764 const struct ssh_signkey *hostkey;
765 char *hostkey_str; /* string representation, for easy checking in rekeys */
766 unsigned char v2_session_id[SSH2_KEX_MAX_HASH_LEN];
767 int v2_session_id_len;
771 int attempting_connshare;
777 int echoing, editing;
781 int ospeed, ispeed; /* temporaries */
782 int term_width, term_height;
784 tree234 *channels; /* indexed by local id */
785 struct ssh_channel *mainchan; /* primary session channel */
786 int ncmode; /* is primary channel direct-tcpip? */
791 tree234 *rportfwds, *portfwds;
795 SSH_STATE_BEFORE_SIZE,
801 int size_needed, eof_needed;
802 int sent_console_eof;
803 int got_pty; /* affects EOF behaviour on main channel */
805 struct Packet **queue;
806 int queuelen, queuesize;
808 unsigned char *deferred_send_data;
809 int deferred_len, deferred_size;
812 * Gross hack: pscp will try to start SFTP but fall back to
813 * scp1 if that fails. This variable is the means by which
814 * scp.c can reach into the SSH code and find out which one it
819 bufchain banner; /* accumulates banners during do_ssh2_authconn */
824 struct X11Display *x11disp;
825 struct X11FakeAuth *x11auth;
826 tree234 *x11authtree;
829 int conn_throttle_count;
832 int v1_stdout_throttling;
833 unsigned long v2_outgoing_sequence;
835 int ssh1_rdpkt_crstate;
836 int ssh2_rdpkt_crstate;
837 int ssh2_bare_rdpkt_crstate;
838 int ssh_gotdata_crstate;
839 int do_ssh1_connection_crstate;
841 void *do_ssh_init_state;
842 void *do_ssh1_login_state;
843 void *do_ssh2_transport_state;
844 void *do_ssh2_authconn_state;
845 void *do_ssh_connection_init_state;
847 struct rdpkt1_state_tag rdpkt1_state;
848 struct rdpkt2_state_tag rdpkt2_state;
849 struct rdpkt2_bare_state_tag rdpkt2_bare_state;
851 /* SSH-1 and SSH-2 use this for different things, but both use it */
852 int protocol_initial_phase_done;
854 void (*protocol) (Ssh ssh, void *vin, int inlen,
856 struct Packet *(*s_rdpkt) (Ssh ssh, unsigned char **data, int *datalen);
857 int (*do_ssh_init)(Ssh ssh, unsigned char c);
860 * We maintain our own copy of a Conf structure here. That way,
861 * when we're passed a new one for reconfiguration, we can check
862 * the differences and potentially reconfigure port forwardings
863 * etc in mid-session.
868 * Values cached out of conf so as to avoid the tree234 lookup
869 * cost every time they're used.
874 * Dynamically allocated username string created during SSH
875 * login. Stored in here rather than in the coroutine state so
876 * that it'll be reliably freed if we shut down the SSH session
877 * at some unexpected moment.
882 * Used to transfer data back from async callbacks.
884 void *agent_response;
885 int agent_response_len;
889 * The SSH connection can be set as `frozen', meaning we are
890 * not currently accepting incoming data from the network. This
891 * is slightly more serious than setting the _socket_ as
892 * frozen, because we may already have had data passed to us
893 * from the network which we need to delay processing until
894 * after the freeze is lifted, so we also need a bufchain to
898 bufchain queued_incoming_data;
901 * Dispatch table for packet types that we may have to deal
904 handler_fn_t packet_dispatch[256];
907 * Queues of one-off handler functions for success/failure
908 * indications from a request.
910 struct queued_handler *qhead, *qtail;
911 handler_fn_t q_saved_handler1, q_saved_handler2;
914 * This module deals with sending keepalives.
919 * Track incoming and outgoing data sizes and time, for
922 unsigned long incoming_data_size, outgoing_data_size, deferred_data_size;
923 unsigned long max_data_size;
925 unsigned long next_rekey, last_rekey;
926 char *deferred_rekey_reason; /* points to STATIC string; don't free */
929 * Fully qualified host name, which we need if doing GSSAPI.
935 * GSSAPI libraries for this session.
937 struct ssh_gss_liblist *gsslibs;
941 #define logevent(s) logevent(ssh->frontend, s)
943 /* logevent, only printf-formatted. */
944 static void logeventf(Ssh ssh, const char *fmt, ...)
950 buf = dupvprintf(fmt, ap);
956 static void bomb_out(Ssh ssh, char *text)
958 ssh_do_close(ssh, FALSE);
960 connection_fatal(ssh->frontend, "%s", text);
964 #define bombout(msg) bomb_out(ssh, dupprintf msg)
966 /* Helper function for common bits of parsing ttymodes. */
967 static void parse_ttymodes(Ssh ssh,
968 void (*do_mode)(void *data, char *mode, char *val),
973 for (val = conf_get_str_strs(ssh->conf, CONF_ttymodes, NULL, &key);
975 val = conf_get_str_strs(ssh->conf, CONF_ttymodes, key, &key)) {
977 * val[0] is either 'V', indicating that an explicit value
978 * follows it, or 'A' indicating that we should pass the
979 * value through from the local environment via get_ttymode.
982 val = get_ttymode(ssh->frontend, key);
984 do_mode(data, key, val);
988 do_mode(data, key, val + 1); /* skip the 'V' */
992 static int ssh_channelcmp(void *av, void *bv)
994 struct ssh_channel *a = (struct ssh_channel *) av;
995 struct ssh_channel *b = (struct ssh_channel *) bv;
996 if (a->localid < b->localid)
998 if (a->localid > b->localid)
1002 static int ssh_channelfind(void *av, void *bv)
1004 unsigned *a = (unsigned *) av;
1005 struct ssh_channel *b = (struct ssh_channel *) bv;
1006 if (*a < b->localid)
1008 if (*a > b->localid)
1013 static int ssh_rportcmp_ssh1(void *av, void *bv)
1015 struct ssh_rportfwd *a = (struct ssh_rportfwd *) av;
1016 struct ssh_rportfwd *b = (struct ssh_rportfwd *) bv;
1018 if ( (i = strcmp(a->dhost, b->dhost)) != 0)
1019 return i < 0 ? -1 : +1;
1020 if (a->dport > b->dport)
1022 if (a->dport < b->dport)
1027 static int ssh_rportcmp_ssh2(void *av, void *bv)
1029 struct ssh_rportfwd *a = (struct ssh_rportfwd *) av;
1030 struct ssh_rportfwd *b = (struct ssh_rportfwd *) bv;
1032 if ( (i = strcmp(a->shost, b->shost)) != 0)
1033 return i < 0 ? -1 : +1;
1034 if (a->sport > b->sport)
1036 if (a->sport < b->sport)
1042 * Special form of strcmp which can cope with NULL inputs. NULL is
1043 * defined to sort before even the empty string.
1045 static int nullstrcmp(const char *a, const char *b)
1047 if (a == NULL && b == NULL)
1053 return strcmp(a, b);
1056 static int ssh_portcmp(void *av, void *bv)
1058 struct ssh_portfwd *a = (struct ssh_portfwd *) av;
1059 struct ssh_portfwd *b = (struct ssh_portfwd *) bv;
1061 if (a->type > b->type)
1063 if (a->type < b->type)
1065 if (a->addressfamily > b->addressfamily)
1067 if (a->addressfamily < b->addressfamily)
1069 if ( (i = nullstrcmp(a->saddr, b->saddr)) != 0)
1070 return i < 0 ? -1 : +1;
1071 if (a->sport > b->sport)
1073 if (a->sport < b->sport)
1075 if (a->type != 'D') {
1076 if ( (i = nullstrcmp(a->daddr, b->daddr)) != 0)
1077 return i < 0 ? -1 : +1;
1078 if (a->dport > b->dport)
1080 if (a->dport < b->dport)
1086 static int alloc_channel_id(Ssh ssh)
1088 const unsigned CHANNEL_NUMBER_OFFSET = 256;
1089 unsigned low, high, mid;
1091 struct ssh_channel *c;
1094 * First-fit allocation of channel numbers: always pick the
1095 * lowest unused one. To do this, binary-search using the
1096 * counted B-tree to find the largest channel ID which is in a
1097 * contiguous sequence from the beginning. (Precisely
1098 * everything in that sequence must have ID equal to its tree
1099 * index plus CHANNEL_NUMBER_OFFSET.)
1101 tsize = count234(ssh->channels);
1105 while (high - low > 1) {
1106 mid = (high + low) / 2;
1107 c = index234(ssh->channels, mid);
1108 if (c->localid == mid + CHANNEL_NUMBER_OFFSET)
1109 low = mid; /* this one is fine */
1111 high = mid; /* this one is past it */
1114 * Now low points to either -1, or the tree index of the
1115 * largest ID in the initial sequence.
1118 unsigned i = low + 1 + CHANNEL_NUMBER_OFFSET;
1119 assert(NULL == find234(ssh->channels, &i, ssh_channelfind));
1121 return low + 1 + CHANNEL_NUMBER_OFFSET;
1124 static void c_write_stderr(int trusted, const char *buf, int len)
1127 for (i = 0; i < len; i++)
1128 if (buf[i] != '\r' && (trusted || buf[i] == '\n' || (buf[i] & 0x60)))
1129 fputc(buf[i], stderr);
1132 static void c_write(Ssh ssh, const char *buf, int len)
1134 if (flags & FLAG_STDERR)
1135 c_write_stderr(1, buf, len);
1137 from_backend(ssh->frontend, 1, buf, len);
1140 static void c_write_untrusted(Ssh ssh, const char *buf, int len)
1142 if (flags & FLAG_STDERR)
1143 c_write_stderr(0, buf, len);
1145 from_backend_untrusted(ssh->frontend, buf, len);
1148 static void c_write_str(Ssh ssh, const char *buf)
1150 c_write(ssh, buf, strlen(buf));
1153 static void ssh_free_packet(struct Packet *pkt)
1158 static struct Packet *ssh_new_packet(void)
1160 struct Packet *pkt = snew(struct Packet);
1162 pkt->body = pkt->data = NULL;
1168 static void ssh1_log_incoming_packet(Ssh ssh, struct Packet *pkt)
1171 struct logblank_t blanks[4];
1177 if (ssh->logomitdata &&
1178 (pkt->type == SSH1_SMSG_STDOUT_DATA ||
1179 pkt->type == SSH1_SMSG_STDERR_DATA ||
1180 pkt->type == SSH1_MSG_CHANNEL_DATA)) {
1181 /* "Session data" packets - omit the data string. */
1182 if (pkt->type == SSH1_MSG_CHANNEL_DATA)
1183 ssh_pkt_getuint32(pkt); /* skip channel id */
1184 blanks[nblanks].offset = pkt->savedpos + 4;
1185 blanks[nblanks].type = PKTLOG_OMIT;
1186 ssh_pkt_getstring(pkt, &str, &slen);
1188 blanks[nblanks].len = slen;
1192 log_packet(ssh->logctx, PKT_INCOMING, pkt->type,
1193 ssh1_pkt_type(pkt->type),
1194 pkt->body, pkt->length, nblanks, blanks, NULL,
1198 static void ssh1_log_outgoing_packet(Ssh ssh, struct Packet *pkt)
1201 struct logblank_t blanks[4];
1206 * For outgoing packets, pkt->length represents the length of the
1207 * whole packet starting at pkt->data (including some header), and
1208 * pkt->body refers to the point within that where the log-worthy
1209 * payload begins. However, incoming packets expect pkt->length to
1210 * represent only the payload length (that is, it's measured from
1211 * pkt->body not from pkt->data). Temporarily adjust our outgoing
1212 * packet to conform to the incoming-packet semantics, so that we
1213 * can analyse it with the ssh_pkt_get functions.
1215 pkt->length -= (pkt->body - pkt->data);
1218 if (ssh->logomitdata &&
1219 (pkt->type == SSH1_CMSG_STDIN_DATA ||
1220 pkt->type == SSH1_MSG_CHANNEL_DATA)) {
1221 /* "Session data" packets - omit the data string. */
1222 if (pkt->type == SSH1_MSG_CHANNEL_DATA)
1223 ssh_pkt_getuint32(pkt); /* skip channel id */
1224 blanks[nblanks].offset = pkt->savedpos + 4;
1225 blanks[nblanks].type = PKTLOG_OMIT;
1226 ssh_pkt_getstring(pkt, &str, &slen);
1228 blanks[nblanks].len = slen;
1233 if ((pkt->type == SSH1_CMSG_AUTH_PASSWORD ||
1234 pkt->type == SSH1_CMSG_AUTH_TIS_RESPONSE ||
1235 pkt->type == SSH1_CMSG_AUTH_CCARD_RESPONSE) &&
1236 conf_get_int(ssh->conf, CONF_logomitpass)) {
1237 /* If this is a password or similar packet, blank the password(s). */
1238 blanks[nblanks].offset = 0;
1239 blanks[nblanks].len = pkt->length;
1240 blanks[nblanks].type = PKTLOG_BLANK;
1242 } else if (pkt->type == SSH1_CMSG_X11_REQUEST_FORWARDING &&
1243 conf_get_int(ssh->conf, CONF_logomitpass)) {
1245 * If this is an X forwarding request packet, blank the fake
1248 * Note that while we blank the X authentication data here, we
1249 * don't take any special action to blank the start of an X11
1250 * channel, so using MIT-MAGIC-COOKIE-1 and actually opening
1251 * an X connection without having session blanking enabled is
1252 * likely to leak your cookie into the log.
1255 ssh_pkt_getstring(pkt, &str, &slen);
1256 blanks[nblanks].offset = pkt->savedpos;
1257 blanks[nblanks].type = PKTLOG_BLANK;
1258 ssh_pkt_getstring(pkt, &str, &slen);
1260 blanks[nblanks].len = pkt->savedpos - blanks[nblanks].offset;
1265 log_packet(ssh->logctx, PKT_OUTGOING, pkt->data[12],
1266 ssh1_pkt_type(pkt->data[12]),
1267 pkt->body, pkt->length,
1268 nblanks, blanks, NULL, 0, NULL);
1271 * Undo the above adjustment of pkt->length, to put the packet
1272 * back in the state we found it.
1274 pkt->length += (pkt->body - pkt->data);
1278 * Collect incoming data in the incoming packet buffer.
1279 * Decipher and verify the packet when it is completely read.
1280 * Drop SSH1_MSG_DEBUG and SSH1_MSG_IGNORE packets.
1281 * Update the *data and *datalen variables.
1282 * Return a Packet structure when a packet is completed.
1284 static struct Packet *ssh1_rdpkt(Ssh ssh, unsigned char **data, int *datalen)
1286 struct rdpkt1_state_tag *st = &ssh->rdpkt1_state;
1288 crBegin(ssh->ssh1_rdpkt_crstate);
1290 st->pktin = ssh_new_packet();
1292 st->pktin->type = 0;
1293 st->pktin->length = 0;
1295 for (st->i = st->len = 0; st->i < 4; st->i++) {
1296 while ((*datalen) == 0)
1298 st->len = (st->len << 8) + **data;
1299 (*data)++, (*datalen)--;
1302 st->pad = 8 - (st->len % 8);
1303 st->biglen = st->len + st->pad;
1304 st->pktin->length = st->len - 5;
1306 if (st->biglen < 0) {
1307 bombout(("Extremely large packet length from server suggests"
1308 " data stream corruption"));
1309 ssh_free_packet(st->pktin);
1313 st->pktin->maxlen = st->biglen;
1314 st->pktin->data = snewn(st->biglen + APIEXTRA, unsigned char);
1316 st->to_read = st->biglen;
1317 st->p = st->pktin->data;
1318 while (st->to_read > 0) {
1319 st->chunk = st->to_read;
1320 while ((*datalen) == 0)
1322 if (st->chunk > (*datalen))
1323 st->chunk = (*datalen);
1324 memcpy(st->p, *data, st->chunk);
1326 *datalen -= st->chunk;
1328 st->to_read -= st->chunk;
1331 if (ssh->cipher && detect_attack(ssh->crcda_ctx, st->pktin->data,
1332 st->biglen, NULL)) {
1333 bombout(("Network attack (CRC compensation) detected!"));
1334 ssh_free_packet(st->pktin);
1339 ssh->cipher->decrypt(ssh->v1_cipher_ctx, st->pktin->data, st->biglen);
1341 st->realcrc = crc32_compute(st->pktin->data, st->biglen - 4);
1342 st->gotcrc = GET_32BIT(st->pktin->data + st->biglen - 4);
1343 if (st->gotcrc != st->realcrc) {
1344 bombout(("Incorrect CRC received on packet"));
1345 ssh_free_packet(st->pktin);
1349 st->pktin->body = st->pktin->data + st->pad + 1;
1351 if (ssh->v1_compressing) {
1352 unsigned char *decompblk;
1354 if (!zlib_decompress_block(ssh->sc_comp_ctx,
1355 st->pktin->body - 1, st->pktin->length + 1,
1356 &decompblk, &decomplen)) {
1357 bombout(("Zlib decompression encountered invalid data"));
1358 ssh_free_packet(st->pktin);
1362 if (st->pktin->maxlen < st->pad + decomplen) {
1363 st->pktin->maxlen = st->pad + decomplen;
1364 st->pktin->data = sresize(st->pktin->data,
1365 st->pktin->maxlen + APIEXTRA,
1367 st->pktin->body = st->pktin->data + st->pad + 1;
1370 memcpy(st->pktin->body - 1, decompblk, decomplen);
1372 st->pktin->length = decomplen - 1;
1375 st->pktin->type = st->pktin->body[-1];
1378 * Now pktin->body and pktin->length identify the semantic content
1379 * of the packet, excluding the initial type byte.
1383 ssh1_log_incoming_packet(ssh, st->pktin);
1385 st->pktin->savedpos = 0;
1387 crFinish(st->pktin);
1390 static void ssh2_log_incoming_packet(Ssh ssh, struct Packet *pkt)
1393 struct logblank_t blanks[4];
1399 if (ssh->logomitdata &&
1400 (pkt->type == SSH2_MSG_CHANNEL_DATA ||
1401 pkt->type == SSH2_MSG_CHANNEL_EXTENDED_DATA)) {
1402 /* "Session data" packets - omit the data string. */
1403 ssh_pkt_getuint32(pkt); /* skip channel id */
1404 if (pkt->type == SSH2_MSG_CHANNEL_EXTENDED_DATA)
1405 ssh_pkt_getuint32(pkt); /* skip extended data type */
1406 blanks[nblanks].offset = pkt->savedpos + 4;
1407 blanks[nblanks].type = PKTLOG_OMIT;
1408 ssh_pkt_getstring(pkt, &str, &slen);
1410 blanks[nblanks].len = slen;
1415 log_packet(ssh->logctx, PKT_INCOMING, pkt->type,
1416 ssh2_pkt_type(ssh->pkt_kctx, ssh->pkt_actx, pkt->type),
1417 pkt->body, pkt->length, nblanks, blanks, &pkt->sequence,
1421 static void ssh2_log_outgoing_packet(Ssh ssh, struct Packet *pkt)
1424 struct logblank_t blanks[4];
1429 * For outgoing packets, pkt->length represents the length of the
1430 * whole packet starting at pkt->data (including some header), and
1431 * pkt->body refers to the point within that where the log-worthy
1432 * payload begins. However, incoming packets expect pkt->length to
1433 * represent only the payload length (that is, it's measured from
1434 * pkt->body not from pkt->data). Temporarily adjust our outgoing
1435 * packet to conform to the incoming-packet semantics, so that we
1436 * can analyse it with the ssh_pkt_get functions.
1438 pkt->length -= (pkt->body - pkt->data);
1441 if (ssh->logomitdata &&
1442 (pkt->type == SSH2_MSG_CHANNEL_DATA ||
1443 pkt->type == SSH2_MSG_CHANNEL_EXTENDED_DATA)) {
1444 /* "Session data" packets - omit the data string. */
1445 ssh_pkt_getuint32(pkt); /* skip channel id */
1446 if (pkt->type == SSH2_MSG_CHANNEL_EXTENDED_DATA)
1447 ssh_pkt_getuint32(pkt); /* skip extended data type */
1448 blanks[nblanks].offset = pkt->savedpos + 4;
1449 blanks[nblanks].type = PKTLOG_OMIT;
1450 ssh_pkt_getstring(pkt, &str, &slen);
1452 blanks[nblanks].len = slen;
1457 if (pkt->type == SSH2_MSG_USERAUTH_REQUEST &&
1458 conf_get_int(ssh->conf, CONF_logomitpass)) {
1459 /* If this is a password packet, blank the password(s). */
1461 ssh_pkt_getstring(pkt, &str, &slen);
1462 ssh_pkt_getstring(pkt, &str, &slen);
1463 ssh_pkt_getstring(pkt, &str, &slen);
1464 if (slen == 8 && !memcmp(str, "password", 8)) {
1465 ssh2_pkt_getbool(pkt);
1466 /* Blank the password field. */
1467 blanks[nblanks].offset = pkt->savedpos;
1468 blanks[nblanks].type = PKTLOG_BLANK;
1469 ssh_pkt_getstring(pkt, &str, &slen);
1471 blanks[nblanks].len = pkt->savedpos - blanks[nblanks].offset;
1473 /* If there's another password field beyond it (change of
1474 * password), blank that too. */
1475 ssh_pkt_getstring(pkt, &str, &slen);
1477 blanks[nblanks-1].len =
1478 pkt->savedpos - blanks[nblanks].offset;
1481 } else if (ssh->pkt_actx == SSH2_PKTCTX_KBDINTER &&
1482 pkt->type == SSH2_MSG_USERAUTH_INFO_RESPONSE &&
1483 conf_get_int(ssh->conf, CONF_logomitpass)) {
1484 /* If this is a keyboard-interactive response packet, blank
1487 ssh_pkt_getuint32(pkt);
1488 blanks[nblanks].offset = pkt->savedpos;
1489 blanks[nblanks].type = PKTLOG_BLANK;
1491 ssh_pkt_getstring(pkt, &str, &slen);
1495 blanks[nblanks].len = pkt->savedpos - blanks[nblanks].offset;
1497 } else if (pkt->type == SSH2_MSG_CHANNEL_REQUEST &&
1498 conf_get_int(ssh->conf, CONF_logomitpass)) {
1500 * If this is an X forwarding request packet, blank the fake
1503 * Note that while we blank the X authentication data here, we
1504 * don't take any special action to blank the start of an X11
1505 * channel, so using MIT-MAGIC-COOKIE-1 and actually opening
1506 * an X connection without having session blanking enabled is
1507 * likely to leak your cookie into the log.
1510 ssh_pkt_getuint32(pkt);
1511 ssh_pkt_getstring(pkt, &str, &slen);
1512 if (slen == 7 && !memcmp(str, "x11-req", 0)) {
1513 ssh2_pkt_getbool(pkt);
1514 ssh2_pkt_getbool(pkt);
1515 ssh_pkt_getstring(pkt, &str, &slen);
1516 blanks[nblanks].offset = pkt->savedpos;
1517 blanks[nblanks].type = PKTLOG_BLANK;
1518 ssh_pkt_getstring(pkt, &str, &slen);
1520 blanks[nblanks].len = pkt->savedpos - blanks[nblanks].offset;
1526 log_packet(ssh->logctx, PKT_OUTGOING, pkt->data[5],
1527 ssh2_pkt_type(ssh->pkt_kctx, ssh->pkt_actx, pkt->data[5]),
1528 pkt->body, pkt->length, nblanks, blanks,
1529 &ssh->v2_outgoing_sequence,
1530 pkt->downstream_id, pkt->additional_log_text);
1533 * Undo the above adjustment of pkt->length, to put the packet
1534 * back in the state we found it.
1536 pkt->length += (pkt->body - pkt->data);
1539 static struct Packet *ssh2_rdpkt(Ssh ssh, unsigned char **data, int *datalen)
1541 struct rdpkt2_state_tag *st = &ssh->rdpkt2_state;
1543 crBegin(ssh->ssh2_rdpkt_crstate);
1545 st->pktin = ssh_new_packet();
1547 st->pktin->type = 0;
1548 st->pktin->length = 0;
1550 st->cipherblk = ssh->sccipher->blksize;
1553 if (st->cipherblk < 8)
1555 st->maclen = ssh->scmac ? ssh->scmac->len : 0;
1557 if (ssh->sccipher && (ssh->sccipher->flags & SSH_CIPHER_IS_CBC) &&
1560 * When dealing with a CBC-mode cipher, we want to avoid the
1561 * possibility of an attacker's tweaking the ciphertext stream
1562 * so as to cause us to feed the same block to the block
1563 * cipher more than once and thus leak information
1564 * (VU#958563). The way we do this is not to take any
1565 * decisions on the basis of anything we've decrypted until
1566 * we've verified it with a MAC. That includes the packet
1567 * length, so we just read data and check the MAC repeatedly,
1568 * and when the MAC passes, see if the length we've got is
1572 /* May as well allocate the whole lot now. */
1573 st->pktin->data = snewn(OUR_V2_PACKETLIMIT + st->maclen + APIEXTRA,
1576 /* Read an amount corresponding to the MAC. */
1577 for (st->i = 0; st->i < st->maclen; st->i++) {
1578 while ((*datalen) == 0)
1580 st->pktin->data[st->i] = *(*data)++;
1586 unsigned char seq[4];
1587 ssh->scmac->start(ssh->sc_mac_ctx);
1588 PUT_32BIT(seq, st->incoming_sequence);
1589 ssh->scmac->bytes(ssh->sc_mac_ctx, seq, 4);
1592 for (;;) { /* Once around this loop per cipher block. */
1593 /* Read another cipher-block's worth, and tack it onto the end. */
1594 for (st->i = 0; st->i < st->cipherblk; st->i++) {
1595 while ((*datalen) == 0)
1597 st->pktin->data[st->packetlen+st->maclen+st->i] = *(*data)++;
1600 /* Decrypt one more block (a little further back in the stream). */
1601 ssh->sccipher->decrypt(ssh->sc_cipher_ctx,
1602 st->pktin->data + st->packetlen,
1604 /* Feed that block to the MAC. */
1605 ssh->scmac->bytes(ssh->sc_mac_ctx,
1606 st->pktin->data + st->packetlen, st->cipherblk);
1607 st->packetlen += st->cipherblk;
1608 /* See if that gives us a valid packet. */
1609 if (ssh->scmac->verresult(ssh->sc_mac_ctx,
1610 st->pktin->data + st->packetlen) &&
1611 ((st->len = toint(GET_32BIT(st->pktin->data))) ==
1614 if (st->packetlen >= OUR_V2_PACKETLIMIT) {
1615 bombout(("No valid incoming packet found"));
1616 ssh_free_packet(st->pktin);
1620 st->pktin->maxlen = st->packetlen + st->maclen;
1621 st->pktin->data = sresize(st->pktin->data,
1622 st->pktin->maxlen + APIEXTRA,
1625 st->pktin->data = snewn(st->cipherblk + APIEXTRA, unsigned char);
1628 * Acquire and decrypt the first block of the packet. This will
1629 * contain the length and padding details.
1631 for (st->i = st->len = 0; st->i < st->cipherblk; st->i++) {
1632 while ((*datalen) == 0)
1634 st->pktin->data[st->i] = *(*data)++;
1639 ssh->sccipher->decrypt(ssh->sc_cipher_ctx,
1640 st->pktin->data, st->cipherblk);
1643 * Now get the length figure.
1645 st->len = toint(GET_32BIT(st->pktin->data));
1648 * _Completely_ silly lengths should be stomped on before they
1649 * do us any more damage.
1651 if (st->len < 0 || st->len > OUR_V2_PACKETLIMIT ||
1652 (st->len + 4) % st->cipherblk != 0) {
1653 bombout(("Incoming packet was garbled on decryption"));
1654 ssh_free_packet(st->pktin);
1659 * So now we can work out the total packet length.
1661 st->packetlen = st->len + 4;
1664 * Allocate memory for the rest of the packet.
1666 st->pktin->maxlen = st->packetlen + st->maclen;
1667 st->pktin->data = sresize(st->pktin->data,
1668 st->pktin->maxlen + APIEXTRA,
1672 * Read and decrypt the remainder of the packet.
1674 for (st->i = st->cipherblk; st->i < st->packetlen + st->maclen;
1676 while ((*datalen) == 0)
1678 st->pktin->data[st->i] = *(*data)++;
1681 /* Decrypt everything _except_ the MAC. */
1683 ssh->sccipher->decrypt(ssh->sc_cipher_ctx,
1684 st->pktin->data + st->cipherblk,
1685 st->packetlen - st->cipherblk);
1691 && !ssh->scmac->verify(ssh->sc_mac_ctx, st->pktin->data,
1692 st->len + 4, st->incoming_sequence)) {
1693 bombout(("Incorrect MAC received on packet"));
1694 ssh_free_packet(st->pktin);
1698 /* Get and sanity-check the amount of random padding. */
1699 st->pad = st->pktin->data[4];
1700 if (st->pad < 4 || st->len - st->pad < 1) {
1701 bombout(("Invalid padding length on received packet"));
1702 ssh_free_packet(st->pktin);
1706 * This enables us to deduce the payload length.
1708 st->payload = st->len - st->pad - 1;
1710 st->pktin->length = st->payload + 5;
1711 st->pktin->encrypted_len = st->packetlen;
1713 st->pktin->sequence = st->incoming_sequence++;
1715 st->pktin->length = st->packetlen - st->pad;
1716 assert(st->pktin->length >= 0);
1719 * Decompress packet payload.
1722 unsigned char *newpayload;
1725 ssh->sccomp->decompress(ssh->sc_comp_ctx,
1726 st->pktin->data + 5, st->pktin->length - 5,
1727 &newpayload, &newlen)) {
1728 if (st->pktin->maxlen < newlen + 5) {
1729 st->pktin->maxlen = newlen + 5;
1730 st->pktin->data = sresize(st->pktin->data,
1731 st->pktin->maxlen + APIEXTRA,
1734 st->pktin->length = 5 + newlen;
1735 memcpy(st->pktin->data + 5, newpayload, newlen);
1741 * pktin->body and pktin->length should identify the semantic
1742 * content of the packet, excluding the initial type byte.
1744 st->pktin->type = st->pktin->data[5];
1745 st->pktin->body = st->pktin->data + 6;
1746 st->pktin->length -= 6;
1747 assert(st->pktin->length >= 0); /* one last double-check */
1750 ssh2_log_incoming_packet(ssh, st->pktin);
1752 st->pktin->savedpos = 0;
1754 crFinish(st->pktin);
1757 static struct Packet *ssh2_bare_connection_rdpkt(Ssh ssh, unsigned char **data,
1760 struct rdpkt2_bare_state_tag *st = &ssh->rdpkt2_bare_state;
1762 crBegin(ssh->ssh2_bare_rdpkt_crstate);
1765 * Read the packet length field.
1767 for (st->i = 0; st->i < 4; st->i++) {
1768 while ((*datalen) == 0)
1770 st->length[st->i] = *(*data)++;
1774 st->packetlen = toint(GET_32BIT_MSB_FIRST(st->length));
1775 if (st->packetlen <= 0 || st->packetlen >= OUR_V2_PACKETLIMIT) {
1776 bombout(("Invalid packet length received"));
1780 st->pktin = ssh_new_packet();
1781 st->pktin->data = snewn(st->packetlen, unsigned char);
1783 st->pktin->encrypted_len = st->packetlen;
1785 st->pktin->sequence = st->incoming_sequence++;
1788 * Read the remainder of the packet.
1790 for (st->i = 0; st->i < st->packetlen; st->i++) {
1791 while ((*datalen) == 0)
1793 st->pktin->data[st->i] = *(*data)++;
1798 * pktin->body and pktin->length should identify the semantic
1799 * content of the packet, excluding the initial type byte.
1801 st->pktin->type = st->pktin->data[0];
1802 st->pktin->body = st->pktin->data + 1;
1803 st->pktin->length = st->packetlen - 1;
1806 * Log incoming packet, possibly omitting sensitive fields.
1809 ssh2_log_incoming_packet(ssh, st->pktin);
1811 st->pktin->savedpos = 0;
1813 crFinish(st->pktin);
1816 static int s_wrpkt_prepare(Ssh ssh, struct Packet *pkt, int *offset_p)
1818 int pad, biglen, i, pktoffs;
1822 * XXX various versions of SC (including 8.8.4) screw up the
1823 * register allocation in this function and use the same register
1824 * (D6) for len and as a temporary, with predictable results. The
1825 * following sledgehammer prevents this.
1832 ssh1_log_outgoing_packet(ssh, pkt);
1834 if (ssh->v1_compressing) {
1835 unsigned char *compblk;
1837 zlib_compress_block(ssh->cs_comp_ctx,
1838 pkt->data + 12, pkt->length - 12,
1839 &compblk, &complen);
1840 ssh_pkt_ensure(pkt, complen + 2); /* just in case it's got bigger */
1841 memcpy(pkt->data + 12, compblk, complen);
1843 pkt->length = complen + 12;
1846 ssh_pkt_ensure(pkt, pkt->length + 4); /* space for CRC */
1848 len = pkt->length - 4 - 8; /* len(type+data+CRC) */
1849 pad = 8 - (len % 8);
1851 biglen = len + pad; /* len(padding+type+data+CRC) */
1853 for (i = pktoffs; i < 4+8; i++)
1854 pkt->data[i] = random_byte();
1855 crc = crc32_compute(pkt->data + pktoffs + 4, biglen - 4); /* all ex len */
1856 PUT_32BIT(pkt->data + pktoffs + 4 + biglen - 4, crc);
1857 PUT_32BIT(pkt->data + pktoffs, len);
1860 ssh->cipher->encrypt(ssh->v1_cipher_ctx,
1861 pkt->data + pktoffs + 4, biglen);
1863 if (offset_p) *offset_p = pktoffs;
1864 return biglen + 4; /* len(length+padding+type+data+CRC) */
1867 static int s_write(Ssh ssh, void *data, int len)
1870 log_packet(ssh->logctx, PKT_OUTGOING, -1, NULL, data, len,
1871 0, NULL, NULL, 0, NULL);
1874 return sk_write(ssh->s, (char *)data, len);
1877 static void s_wrpkt(Ssh ssh, struct Packet *pkt)
1879 int len, backlog, offset;
1880 len = s_wrpkt_prepare(ssh, pkt, &offset);
1881 backlog = s_write(ssh, pkt->data + offset, len);
1882 if (backlog > SSH_MAX_BACKLOG)
1883 ssh_throttle_all(ssh, 1, backlog);
1884 ssh_free_packet(pkt);
1887 static void s_wrpkt_defer(Ssh ssh, struct Packet *pkt)
1890 len = s_wrpkt_prepare(ssh, pkt, &offset);
1891 if (ssh->deferred_len + len > ssh->deferred_size) {
1892 ssh->deferred_size = ssh->deferred_len + len + 128;
1893 ssh->deferred_send_data = sresize(ssh->deferred_send_data,
1897 memcpy(ssh->deferred_send_data + ssh->deferred_len,
1898 pkt->data + offset, len);
1899 ssh->deferred_len += len;
1900 ssh_free_packet(pkt);
1904 * Construct a SSH-1 packet with the specified contents.
1905 * (This all-at-once interface used to be the only one, but now SSH-1
1906 * packets can also be constructed incrementally.)
1908 static struct Packet *construct_packet(Ssh ssh, int pkttype, va_list ap)
1914 pkt = ssh1_pkt_init(pkttype);
1916 while ((argtype = va_arg(ap, int)) != PKT_END) {
1917 unsigned char *argp, argchar;
1919 unsigned long argint;
1922 /* Actual fields in the packet */
1924 argint = va_arg(ap, int);
1925 ssh_pkt_adduint32(pkt, argint);
1928 argchar = (unsigned char) va_arg(ap, int);
1929 ssh_pkt_addbyte(pkt, argchar);
1932 argp = va_arg(ap, unsigned char *);
1933 arglen = va_arg(ap, int);
1934 ssh_pkt_adddata(pkt, argp, arglen);
1937 sargp = va_arg(ap, char *);
1938 ssh_pkt_addstring(pkt, sargp);
1941 bn = va_arg(ap, Bignum);
1942 ssh1_pkt_addmp(pkt, bn);
1950 static void send_packet(Ssh ssh, int pkttype, ...)
1954 va_start(ap, pkttype);
1955 pkt = construct_packet(ssh, pkttype, ap);
1960 static void defer_packet(Ssh ssh, int pkttype, ...)
1964 va_start(ap, pkttype);
1965 pkt = construct_packet(ssh, pkttype, ap);
1967 s_wrpkt_defer(ssh, pkt);
1970 static int ssh_versioncmp(char *a, char *b)
1973 unsigned long av, bv;
1975 av = strtoul(a, &ae, 10);
1976 bv = strtoul(b, &be, 10);
1978 return (av < bv ? -1 : +1);
1983 av = strtoul(ae, &ae, 10);
1984 bv = strtoul(be, &be, 10);
1986 return (av < bv ? -1 : +1);
1991 * Utility routines for putting an SSH-protocol `string' and
1992 * `uint32' into a hash state.
1994 static void hash_string(const struct ssh_hash *h, void *s, void *str, int len)
1996 unsigned char lenblk[4];
1997 PUT_32BIT(lenblk, len);
1998 h->bytes(s, lenblk, 4);
1999 h->bytes(s, str, len);
2002 static void hash_uint32(const struct ssh_hash *h, void *s, unsigned i)
2004 unsigned char intblk[4];
2005 PUT_32BIT(intblk, i);
2006 h->bytes(s, intblk, 4);
2010 * Packet construction functions. Mostly shared between SSH-1 and SSH-2.
2012 static void ssh_pkt_ensure(struct Packet *pkt, int length)
2014 if (pkt->maxlen < length) {
2015 unsigned char *body = pkt->body;
2016 int offset = body ? body - pkt->data : 0;
2017 pkt->maxlen = length + 256;
2018 pkt->data = sresize(pkt->data, pkt->maxlen + APIEXTRA, unsigned char);
2019 if (body) pkt->body = pkt->data + offset;
2022 static void ssh_pkt_adddata(struct Packet *pkt, const void *data, int len)
2025 ssh_pkt_ensure(pkt, pkt->length);
2026 memcpy(pkt->data + pkt->length - len, data, len);
2028 static void ssh_pkt_addbyte(struct Packet *pkt, unsigned char byte)
2030 ssh_pkt_adddata(pkt, &byte, 1);
2032 static void ssh2_pkt_addbool(struct Packet *pkt, unsigned char value)
2034 ssh_pkt_adddata(pkt, &value, 1);
2036 static void ssh_pkt_adduint32(struct Packet *pkt, unsigned long value)
2039 PUT_32BIT(x, value);
2040 ssh_pkt_adddata(pkt, x, 4);
2042 static void ssh_pkt_addstring_start(struct Packet *pkt)
2044 ssh_pkt_adduint32(pkt, 0);
2045 pkt->savedpos = pkt->length;
2047 static void ssh_pkt_addstring_str(struct Packet *pkt, const char *data)
2049 ssh_pkt_adddata(pkt, data, strlen(data));
2050 PUT_32BIT(pkt->data + pkt->savedpos - 4, pkt->length - pkt->savedpos);
2052 static void ssh_pkt_addstring_data(struct Packet *pkt, const char *data,
2055 ssh_pkt_adddata(pkt, data, len);
2056 PUT_32BIT(pkt->data + pkt->savedpos - 4, pkt->length - pkt->savedpos);
2058 static void ssh_pkt_addstring(struct Packet *pkt, const char *data)
2060 ssh_pkt_addstring_start(pkt);
2061 ssh_pkt_addstring_str(pkt, data);
2063 static void ssh1_pkt_addmp(struct Packet *pkt, Bignum b)
2065 int len = ssh1_bignum_length(b);
2066 unsigned char *data = snewn(len, unsigned char);
2067 (void) ssh1_write_bignum(data, b);
2068 ssh_pkt_adddata(pkt, data, len);
2071 static unsigned char *ssh2_mpint_fmt(Bignum b, int *len)
2074 int i, n = (bignum_bitcount(b) + 7) / 8;
2075 p = snewn(n + 1, unsigned char);
2077 for (i = 1; i <= n; i++)
2078 p[i] = bignum_byte(b, n - i);
2080 while (i <= n && p[i] == 0 && (p[i + 1] & 0x80) == 0)
2082 memmove(p, p + i, n + 1 - i);
2086 static void ssh2_pkt_addmp(struct Packet *pkt, Bignum b)
2090 p = ssh2_mpint_fmt(b, &len);
2091 ssh_pkt_addstring_start(pkt);
2092 ssh_pkt_addstring_data(pkt, (char *)p, len);
2096 static struct Packet *ssh1_pkt_init(int pkt_type)
2098 struct Packet *pkt = ssh_new_packet();
2099 pkt->length = 4 + 8; /* space for length + max padding */
2100 ssh_pkt_addbyte(pkt, pkt_type);
2101 pkt->body = pkt->data + pkt->length;
2102 pkt->type = pkt_type;
2103 pkt->downstream_id = 0;
2104 pkt->additional_log_text = NULL;
2108 /* For legacy code (SSH-1 and -2 packet construction used to be separate) */
2109 #define ssh2_pkt_ensure(pkt, length) ssh_pkt_ensure(pkt, length)
2110 #define ssh2_pkt_adddata(pkt, data, len) ssh_pkt_adddata(pkt, data, len)
2111 #define ssh2_pkt_addbyte(pkt, byte) ssh_pkt_addbyte(pkt, byte)
2112 #define ssh2_pkt_adduint32(pkt, value) ssh_pkt_adduint32(pkt, value)
2113 #define ssh2_pkt_addstring_start(pkt) ssh_pkt_addstring_start(pkt)
2114 #define ssh2_pkt_addstring_str(pkt, data) ssh_pkt_addstring_str(pkt, data)
2115 #define ssh2_pkt_addstring_data(pkt, data, len) ssh_pkt_addstring_data(pkt, data, len)
2116 #define ssh2_pkt_addstring(pkt, data) ssh_pkt_addstring(pkt, data)
2118 static struct Packet *ssh2_pkt_init(int pkt_type)
2120 struct Packet *pkt = ssh_new_packet();
2121 pkt->length = 5; /* space for packet length + padding length */
2123 pkt->type = pkt_type;
2124 ssh_pkt_addbyte(pkt, (unsigned char) pkt_type);
2125 pkt->body = pkt->data + pkt->length; /* after packet type */
2126 pkt->downstream_id = 0;
2127 pkt->additional_log_text = NULL;
2132 * Construct an SSH-2 final-form packet: compress it, encrypt it,
2133 * put the MAC on it. Final packet, ready to be sent, is stored in
2134 * pkt->data. Total length is returned.
2136 static int ssh2_pkt_construct(Ssh ssh, struct Packet *pkt)
2138 int cipherblk, maclen, padding, i;
2141 ssh2_log_outgoing_packet(ssh, pkt);
2143 if (ssh->bare_connection) {
2145 * Trivial packet construction for the bare connection
2148 PUT_32BIT(pkt->data + 1, pkt->length - 5);
2149 pkt->body = pkt->data + 1;
2150 ssh->v2_outgoing_sequence++; /* only for diagnostics, really */
2151 return pkt->length - 1;
2155 * Compress packet payload.
2158 unsigned char *newpayload;
2161 ssh->cscomp->compress(ssh->cs_comp_ctx, pkt->data + 5,
2163 &newpayload, &newlen)) {
2165 ssh2_pkt_adddata(pkt, newpayload, newlen);
2171 * Add padding. At least four bytes, and must also bring total
2172 * length (minus MAC) up to a multiple of the block size.
2173 * If pkt->forcepad is set, make sure the packet is at least that size
2176 cipherblk = ssh->cscipher ? ssh->cscipher->blksize : 8; /* block size */
2177 cipherblk = cipherblk < 8 ? 8 : cipherblk; /* or 8 if blksize < 8 */
2179 if (pkt->length + padding < pkt->forcepad)
2180 padding = pkt->forcepad - pkt->length;
2182 (cipherblk - (pkt->length + padding) % cipherblk) % cipherblk;
2183 assert(padding <= 255);
2184 maclen = ssh->csmac ? ssh->csmac->len : 0;
2185 ssh2_pkt_ensure(pkt, pkt->length + padding + maclen);
2186 pkt->data[4] = padding;
2187 for (i = 0; i < padding; i++)
2188 pkt->data[pkt->length + i] = random_byte();
2189 PUT_32BIT(pkt->data, pkt->length + padding - 4);
2191 ssh->csmac->generate(ssh->cs_mac_ctx, pkt->data,
2192 pkt->length + padding,
2193 ssh->v2_outgoing_sequence);
2194 ssh->v2_outgoing_sequence++; /* whether or not we MACed */
2197 ssh->cscipher->encrypt(ssh->cs_cipher_ctx,
2198 pkt->data, pkt->length + padding);
2200 pkt->encrypted_len = pkt->length + padding;
2202 /* Ready-to-send packet starts at pkt->data. We return length. */
2203 pkt->body = pkt->data;
2204 return pkt->length + padding + maclen;
2208 * Routines called from the main SSH code to send packets. There
2209 * are quite a few of these, because we have two separate
2210 * mechanisms for delaying the sending of packets:
2212 * - In order to send an IGNORE message and a password message in
2213 * a single fixed-length blob, we require the ability to
2214 * concatenate the encrypted forms of those two packets _into_ a
2215 * single blob and then pass it to our <network.h> transport
2216 * layer in one go. Hence, there's a deferment mechanism which
2217 * works after packet encryption.
2219 * - In order to avoid sending any connection-layer messages
2220 * during repeat key exchange, we have to queue up any such
2221 * outgoing messages _before_ they are encrypted (and in
2222 * particular before they're allocated sequence numbers), and
2223 * then send them once we've finished.
2225 * I call these mechanisms `defer' and `queue' respectively, so as
2226 * to distinguish them reasonably easily.
2228 * The functions send_noqueue() and defer_noqueue() free the packet
2229 * structure they are passed. Every outgoing packet goes through
2230 * precisely one of these functions in its life; packets passed to
2231 * ssh2_pkt_send() or ssh2_pkt_defer() either go straight to one of
2232 * these or get queued, and then when the queue is later emptied
2233 * the packets are all passed to defer_noqueue().
2235 * When using a CBC-mode cipher, it's necessary to ensure that an
2236 * attacker can't provide data to be encrypted using an IV that they
2237 * know. We ensure this by prefixing each packet that might contain
2238 * user data with an SSH_MSG_IGNORE. This is done using the deferral
2239 * mechanism, so in this case send_noqueue() ends up redirecting to
2240 * defer_noqueue(). If you don't like this inefficiency, don't use
2244 static void ssh2_pkt_defer_noqueue(Ssh, struct Packet *, int);
2245 static void ssh_pkt_defersend(Ssh);
2248 * Send an SSH-2 packet immediately, without queuing or deferring.
2250 static void ssh2_pkt_send_noqueue(Ssh ssh, struct Packet *pkt)
2254 if (ssh->cscipher != NULL && (ssh->cscipher->flags & SSH_CIPHER_IS_CBC)) {
2255 /* We need to send two packets, so use the deferral mechanism. */
2256 ssh2_pkt_defer_noqueue(ssh, pkt, FALSE);
2257 ssh_pkt_defersend(ssh);
2260 len = ssh2_pkt_construct(ssh, pkt);
2261 backlog = s_write(ssh, pkt->body, len);
2262 if (backlog > SSH_MAX_BACKLOG)
2263 ssh_throttle_all(ssh, 1, backlog);
2265 ssh->outgoing_data_size += pkt->encrypted_len;
2266 if (!ssh->kex_in_progress &&
2267 !ssh->bare_connection &&
2268 ssh->max_data_size != 0 &&
2269 ssh->outgoing_data_size > ssh->max_data_size)
2270 do_ssh2_transport(ssh, "too much data sent", -1, NULL);
2272 ssh_free_packet(pkt);
2276 * Defer an SSH-2 packet.
2278 static void ssh2_pkt_defer_noqueue(Ssh ssh, struct Packet *pkt, int noignore)
2281 if (ssh->cscipher != NULL && (ssh->cscipher->flags & SSH_CIPHER_IS_CBC) &&
2282 ssh->deferred_len == 0 && !noignore &&
2283 !(ssh->remote_bugs & BUG_CHOKES_ON_SSH2_IGNORE)) {
2285 * Interpose an SSH_MSG_IGNORE to ensure that user data don't
2286 * get encrypted with a known IV.
2288 struct Packet *ipkt = ssh2_pkt_init(SSH2_MSG_IGNORE);
2289 ssh2_pkt_addstring_start(ipkt);
2290 ssh2_pkt_defer_noqueue(ssh, ipkt, TRUE);
2292 len = ssh2_pkt_construct(ssh, pkt);
2293 if (ssh->deferred_len + len > ssh->deferred_size) {
2294 ssh->deferred_size = ssh->deferred_len + len + 128;
2295 ssh->deferred_send_data = sresize(ssh->deferred_send_data,
2299 memcpy(ssh->deferred_send_data + ssh->deferred_len, pkt->body, len);
2300 ssh->deferred_len += len;
2301 ssh->deferred_data_size += pkt->encrypted_len;
2302 ssh_free_packet(pkt);
2306 * Queue an SSH-2 packet.
2308 static void ssh2_pkt_queue(Ssh ssh, struct Packet *pkt)
2310 assert(ssh->queueing);
2312 if (ssh->queuelen >= ssh->queuesize) {
2313 ssh->queuesize = ssh->queuelen + 32;
2314 ssh->queue = sresize(ssh->queue, ssh->queuesize, struct Packet *);
2317 ssh->queue[ssh->queuelen++] = pkt;
2321 * Either queue or send a packet, depending on whether queueing is
2324 static void ssh2_pkt_send(Ssh ssh, struct Packet *pkt)
2327 ssh2_pkt_queue(ssh, pkt);
2329 ssh2_pkt_send_noqueue(ssh, pkt);
2333 * Either queue or defer a packet, depending on whether queueing is
2336 static void ssh2_pkt_defer(Ssh ssh, struct Packet *pkt)
2339 ssh2_pkt_queue(ssh, pkt);
2341 ssh2_pkt_defer_noqueue(ssh, pkt, FALSE);
2345 * Send the whole deferred data block constructed by
2346 * ssh2_pkt_defer() or SSH-1's defer_packet().
2348 * The expected use of the defer mechanism is that you call
2349 * ssh2_pkt_defer() a few times, then call ssh_pkt_defersend(). If
2350 * not currently queueing, this simply sets up deferred_send_data
2351 * and then sends it. If we _are_ currently queueing, the calls to
2352 * ssh2_pkt_defer() put the deferred packets on to the queue
2353 * instead, and therefore ssh_pkt_defersend() has no deferred data
2354 * to send. Hence, there's no need to make it conditional on
2357 static void ssh_pkt_defersend(Ssh ssh)
2360 backlog = s_write(ssh, ssh->deferred_send_data, ssh->deferred_len);
2361 ssh->deferred_len = ssh->deferred_size = 0;
2362 sfree(ssh->deferred_send_data);
2363 ssh->deferred_send_data = NULL;
2364 if (backlog > SSH_MAX_BACKLOG)
2365 ssh_throttle_all(ssh, 1, backlog);
2367 ssh->outgoing_data_size += ssh->deferred_data_size;
2368 if (!ssh->kex_in_progress &&
2369 !ssh->bare_connection &&
2370 ssh->max_data_size != 0 &&
2371 ssh->outgoing_data_size > ssh->max_data_size)
2372 do_ssh2_transport(ssh, "too much data sent", -1, NULL);
2373 ssh->deferred_data_size = 0;
2377 * Send a packet whose length needs to be disguised (typically
2378 * passwords or keyboard-interactive responses).
2380 static void ssh2_pkt_send_with_padding(Ssh ssh, struct Packet *pkt,
2386 * The simplest way to do this is to adjust the
2387 * variable-length padding field in the outgoing packet.
2389 * Currently compiled out, because some Cisco SSH servers
2390 * don't like excessively padded packets (bah, why's it
2393 pkt->forcepad = padsize;
2394 ssh2_pkt_send(ssh, pkt);
2399 * If we can't do that, however, an alternative approach is
2400 * to use the pkt_defer mechanism to bundle the packet
2401 * tightly together with an SSH_MSG_IGNORE such that their
2402 * combined length is a constant. So first we construct the
2403 * final form of this packet and defer its sending.
2405 ssh2_pkt_defer(ssh, pkt);
2408 * Now construct an SSH_MSG_IGNORE which includes a string
2409 * that's an exact multiple of the cipher block size. (If
2410 * the cipher is NULL so that the block size is
2411 * unavailable, we don't do this trick at all, because we
2412 * gain nothing by it.)
2414 if (ssh->cscipher &&
2415 !(ssh->remote_bugs & BUG_CHOKES_ON_SSH2_IGNORE)) {
2418 stringlen = (256 - ssh->deferred_len);
2419 stringlen += ssh->cscipher->blksize - 1;
2420 stringlen -= (stringlen % ssh->cscipher->blksize);
2423 * Temporarily disable actual compression, so we
2424 * can guarantee to get this string exactly the
2425 * length we want it. The compression-disabling
2426 * routine should return an integer indicating how
2427 * many bytes we should adjust our string length
2431 ssh->cscomp->disable_compression(ssh->cs_comp_ctx);
2433 pkt = ssh2_pkt_init(SSH2_MSG_IGNORE);
2434 ssh2_pkt_addstring_start(pkt);
2435 for (i = 0; i < stringlen; i++) {
2436 char c = (char) random_byte();
2437 ssh2_pkt_addstring_data(pkt, &c, 1);
2439 ssh2_pkt_defer(ssh, pkt);
2441 ssh_pkt_defersend(ssh);
2446 * Send all queued SSH-2 packets. We send them by means of
2447 * ssh2_pkt_defer_noqueue(), in case they included a pair of
2448 * packets that needed to be lumped together.
2450 static void ssh2_pkt_queuesend(Ssh ssh)
2454 assert(!ssh->queueing);
2456 for (i = 0; i < ssh->queuelen; i++)
2457 ssh2_pkt_defer_noqueue(ssh, ssh->queue[i], FALSE);
2460 ssh_pkt_defersend(ssh);
2464 void bndebug(char *string, Bignum b)
2468 p = ssh2_mpint_fmt(b, &len);
2469 debug(("%s", string));
2470 for (i = 0; i < len; i++)
2471 debug((" %02x", p[i]));
2477 static void hash_mpint(const struct ssh_hash *h, void *s, Bignum b)
2481 p = ssh2_mpint_fmt(b, &len);
2482 hash_string(h, s, p, len);
2487 * Packet decode functions for both SSH-1 and SSH-2.
2489 static unsigned long ssh_pkt_getuint32(struct Packet *pkt)
2491 unsigned long value;
2492 if (pkt->length - pkt->savedpos < 4)
2493 return 0; /* arrgh, no way to decline (FIXME?) */
2494 value = GET_32BIT(pkt->body + pkt->savedpos);
2498 static int ssh2_pkt_getbool(struct Packet *pkt)
2500 unsigned long value;
2501 if (pkt->length - pkt->savedpos < 1)
2502 return 0; /* arrgh, no way to decline (FIXME?) */
2503 value = pkt->body[pkt->savedpos] != 0;
2507 static void ssh_pkt_getstring(struct Packet *pkt, char **p, int *length)
2512 if (pkt->length - pkt->savedpos < 4)
2514 len = toint(GET_32BIT(pkt->body + pkt->savedpos));
2519 if (pkt->length - pkt->savedpos < *length)
2521 *p = (char *)(pkt->body + pkt->savedpos);
2522 pkt->savedpos += *length;
2524 static void *ssh_pkt_getdata(struct Packet *pkt, int length)
2526 if (pkt->length - pkt->savedpos < length)
2528 pkt->savedpos += length;
2529 return pkt->body + (pkt->savedpos - length);
2531 static int ssh1_pkt_getrsakey(struct Packet *pkt, struct RSAKey *key,
2532 unsigned char **keystr)
2536 j = makekey(pkt->body + pkt->savedpos,
2537 pkt->length - pkt->savedpos,
2544 assert(pkt->savedpos < pkt->length);
2548 static Bignum ssh1_pkt_getmp(struct Packet *pkt)
2553 j = ssh1_read_bignum(pkt->body + pkt->savedpos,
2554 pkt->length - pkt->savedpos, &b);
2562 static Bignum ssh2_pkt_getmp(struct Packet *pkt)
2568 ssh_pkt_getstring(pkt, &p, &length);
2573 b = bignum_from_bytes((unsigned char *)p, length);
2578 * Helper function to add an SSH-2 signature blob to a packet.
2579 * Expects to be shown the public key blob as well as the signature
2580 * blob. Normally works just like ssh2_pkt_addstring, but will
2581 * fiddle with the signature packet if necessary for
2582 * BUG_SSH2_RSA_PADDING.
2584 static void ssh2_add_sigblob(Ssh ssh, struct Packet *pkt,
2585 void *pkblob_v, int pkblob_len,
2586 void *sigblob_v, int sigblob_len)
2588 unsigned char *pkblob = (unsigned char *)pkblob_v;
2589 unsigned char *sigblob = (unsigned char *)sigblob_v;
2591 /* dmemdump(pkblob, pkblob_len); */
2592 /* dmemdump(sigblob, sigblob_len); */
2595 * See if this is in fact an ssh-rsa signature and a buggy
2596 * server; otherwise we can just do this the easy way.
2598 if ((ssh->remote_bugs & BUG_SSH2_RSA_PADDING) && pkblob_len > 4+7+4 &&
2599 (GET_32BIT(pkblob) == 7 && !memcmp(pkblob+4, "ssh-rsa", 7))) {
2600 int pos, len, siglen;
2603 * Find the byte length of the modulus.
2606 pos = 4+7; /* skip over "ssh-rsa" */
2607 len = toint(GET_32BIT(pkblob+pos)); /* get length of exponent */
2608 if (len < 0 || len > pkblob_len - pos - 4)
2610 pos += 4 + len; /* skip over exponent */
2611 if (pkblob_len - pos < 4)
2613 len = toint(GET_32BIT(pkblob+pos)); /* find length of modulus */
2614 if (len < 0 || len > pkblob_len - pos - 4)
2616 pos += 4; /* find modulus itself */
2617 while (len > 0 && pkblob[pos] == 0)
2619 /* debug(("modulus length is %d\n", len)); */
2622 * Now find the signature integer.
2624 pos = 4+7; /* skip over "ssh-rsa" */
2625 if (sigblob_len < pos+4)
2627 siglen = toint(GET_32BIT(sigblob+pos));
2628 if (siglen != sigblob_len - pos - 4)
2630 /* debug(("signature length is %d\n", siglen)); */
2632 if (len != siglen) {
2633 unsigned char newlen[4];
2634 ssh2_pkt_addstring_start(pkt);
2635 ssh2_pkt_addstring_data(pkt, (char *)sigblob, pos);
2636 /* dmemdump(sigblob, pos); */
2637 pos += 4; /* point to start of actual sig */
2638 PUT_32BIT(newlen, len);
2639 ssh2_pkt_addstring_data(pkt, (char *)newlen, 4);
2640 /* dmemdump(newlen, 4); */
2642 while (len-- > siglen) {
2643 ssh2_pkt_addstring_data(pkt, (char *)newlen, 1);
2644 /* dmemdump(newlen, 1); */
2646 ssh2_pkt_addstring_data(pkt, (char *)(sigblob+pos), siglen);
2647 /* dmemdump(sigblob+pos, siglen); */
2651 /* Otherwise fall through and do it the easy way. We also come
2652 * here as a fallback if we discover above that the key blob
2653 * is misformatted in some way. */
2657 ssh2_pkt_addstring_start(pkt);
2658 ssh2_pkt_addstring_data(pkt, (char *)sigblob, sigblob_len);
2662 * Examine the remote side's version string and compare it against
2663 * a list of known buggy implementations.
2665 static void ssh_detect_bugs(Ssh ssh, char *vstring)
2667 char *imp; /* pointer to implementation part */
2669 imp += strcspn(imp, "-");
2671 imp += strcspn(imp, "-");
2674 ssh->remote_bugs = 0;
2677 * General notes on server version strings:
2678 * - Not all servers reporting "Cisco-1.25" have all the bugs listed
2679 * here -- in particular, we've heard of one that's perfectly happy
2680 * with SSH1_MSG_IGNOREs -- but this string never seems to change,
2681 * so we can't distinguish them.
2683 if (conf_get_int(ssh->conf, CONF_sshbug_ignore1) == FORCE_ON ||
2684 (conf_get_int(ssh->conf, CONF_sshbug_ignore1) == AUTO &&
2685 (!strcmp(imp, "1.2.18") || !strcmp(imp, "1.2.19") ||
2686 !strcmp(imp, "1.2.20") || !strcmp(imp, "1.2.21") ||
2687 !strcmp(imp, "1.2.22") || !strcmp(imp, "Cisco-1.25") ||
2688 !strcmp(imp, "OSU_1.4alpha3") || !strcmp(imp, "OSU_1.5alpha4")))) {
2690 * These versions don't support SSH1_MSG_IGNORE, so we have
2691 * to use a different defence against password length
2694 ssh->remote_bugs |= BUG_CHOKES_ON_SSH1_IGNORE;
2695 logevent("We believe remote version has SSH-1 ignore bug");
2698 if (conf_get_int(ssh->conf, CONF_sshbug_plainpw1) == FORCE_ON ||
2699 (conf_get_int(ssh->conf, CONF_sshbug_plainpw1) == AUTO &&
2700 (!strcmp(imp, "Cisco-1.25") || !strcmp(imp, "OSU_1.4alpha3")))) {
2702 * These versions need a plain password sent; they can't
2703 * handle having a null and a random length of data after
2706 ssh->remote_bugs |= BUG_NEEDS_SSH1_PLAIN_PASSWORD;
2707 logevent("We believe remote version needs a plain SSH-1 password");
2710 if (conf_get_int(ssh->conf, CONF_sshbug_rsa1) == FORCE_ON ||
2711 (conf_get_int(ssh->conf, CONF_sshbug_rsa1) == AUTO &&
2712 (!strcmp(imp, "Cisco-1.25")))) {
2714 * These versions apparently have no clue whatever about
2715 * RSA authentication and will panic and die if they see
2716 * an AUTH_RSA message.
2718 ssh->remote_bugs |= BUG_CHOKES_ON_RSA;
2719 logevent("We believe remote version can't handle SSH-1 RSA authentication");
2722 if (conf_get_int(ssh->conf, CONF_sshbug_hmac2) == FORCE_ON ||
2723 (conf_get_int(ssh->conf, CONF_sshbug_hmac2) == AUTO &&
2724 !wc_match("* VShell", imp) &&
2725 (wc_match("2.1.0*", imp) || wc_match("2.0.*", imp) ||
2726 wc_match("2.2.0*", imp) || wc_match("2.3.0*", imp) ||
2727 wc_match("2.1 *", imp)))) {
2729 * These versions have the HMAC bug.
2731 ssh->remote_bugs |= BUG_SSH2_HMAC;
2732 logevent("We believe remote version has SSH-2 HMAC bug");
2735 if (conf_get_int(ssh->conf, CONF_sshbug_derivekey2) == FORCE_ON ||
2736 (conf_get_int(ssh->conf, CONF_sshbug_derivekey2) == AUTO &&
2737 !wc_match("* VShell", imp) &&
2738 (wc_match("2.0.0*", imp) || wc_match("2.0.10*", imp) ))) {
2740 * These versions have the key-derivation bug (failing to
2741 * include the literal shared secret in the hashes that
2742 * generate the keys).
2744 ssh->remote_bugs |= BUG_SSH2_DERIVEKEY;
2745 logevent("We believe remote version has SSH-2 key-derivation bug");
2748 if (conf_get_int(ssh->conf, CONF_sshbug_rsapad2) == FORCE_ON ||
2749 (conf_get_int(ssh->conf, CONF_sshbug_rsapad2) == AUTO &&
2750 (wc_match("OpenSSH_2.[5-9]*", imp) ||
2751 wc_match("OpenSSH_3.[0-2]*", imp) ||
2752 wc_match("mod_sftp/0.[0-8]*", imp) ||
2753 wc_match("mod_sftp/0.9.[0-8]", imp)))) {
2755 * These versions have the SSH-2 RSA padding bug.
2757 ssh->remote_bugs |= BUG_SSH2_RSA_PADDING;
2758 logevent("We believe remote version has SSH-2 RSA padding bug");
2761 if (conf_get_int(ssh->conf, CONF_sshbug_pksessid2) == FORCE_ON ||
2762 (conf_get_int(ssh->conf, CONF_sshbug_pksessid2) == AUTO &&
2763 wc_match("OpenSSH_2.[0-2]*", imp))) {
2765 * These versions have the SSH-2 session-ID bug in
2766 * public-key authentication.
2768 ssh->remote_bugs |= BUG_SSH2_PK_SESSIONID;
2769 logevent("We believe remote version has SSH-2 public-key-session-ID bug");
2772 if (conf_get_int(ssh->conf, CONF_sshbug_rekey2) == FORCE_ON ||
2773 (conf_get_int(ssh->conf, CONF_sshbug_rekey2) == AUTO &&
2774 (wc_match("DigiSSH_2.0", imp) ||
2775 wc_match("OpenSSH_2.[0-4]*", imp) ||
2776 wc_match("OpenSSH_2.5.[0-3]*", imp) ||
2777 wc_match("Sun_SSH_1.0", imp) ||
2778 wc_match("Sun_SSH_1.0.1", imp) ||
2779 /* All versions <= 1.2.6 (they changed their format in 1.2.7) */
2780 wc_match("WeOnlyDo-*", imp)))) {
2782 * These versions have the SSH-2 rekey bug.
2784 ssh->remote_bugs |= BUG_SSH2_REKEY;
2785 logevent("We believe remote version has SSH-2 rekey bug");
2788 if (conf_get_int(ssh->conf, CONF_sshbug_maxpkt2) == FORCE_ON ||
2789 (conf_get_int(ssh->conf, CONF_sshbug_maxpkt2) == AUTO &&
2790 (wc_match("1.36_sshlib GlobalSCAPE", imp) ||
2791 wc_match("1.36 sshlib: GlobalScape", imp)))) {
2793 * This version ignores our makpkt and needs to be throttled.
2795 ssh->remote_bugs |= BUG_SSH2_MAXPKT;
2796 logevent("We believe remote version ignores SSH-2 maximum packet size");
2799 if (conf_get_int(ssh->conf, CONF_sshbug_ignore2) == FORCE_ON) {
2801 * Servers that don't support SSH2_MSG_IGNORE. Currently,
2802 * none detected automatically.
2804 ssh->remote_bugs |= BUG_CHOKES_ON_SSH2_IGNORE;
2805 logevent("We believe remote version has SSH-2 ignore bug");
2808 if (conf_get_int(ssh->conf, CONF_sshbug_winadj) == FORCE_ON) {
2810 * Servers that don't support our winadj request for one
2811 * reason or another. Currently, none detected automatically.
2813 ssh->remote_bugs |= BUG_CHOKES_ON_WINADJ;
2814 logevent("We believe remote version has winadj bug");
2817 if (conf_get_int(ssh->conf, CONF_sshbug_chanreq) == FORCE_ON ||
2818 (conf_get_int(ssh->conf, CONF_sshbug_chanreq) == AUTO &&
2819 (wc_match("OpenSSH_[2-5].*", imp) ||
2820 wc_match("OpenSSH_6.[0-6]*", imp)))) {
2822 * These versions have the SSH-2 channel request bug. 6.7 and
2824 * https://bugzilla.mindrot.org/show_bug.cgi?id=1818
2826 ssh->remote_bugs |= BUG_SENDS_LATE_REQUEST_REPLY;
2827 logevent("We believe remote version has SSH-2 channel request bug");
2832 * The `software version' part of an SSH version string is required
2833 * to contain no spaces or minus signs.
2835 static void ssh_fix_verstring(char *str)
2837 /* Eat "<protoversion>-". */
2838 while (*str && *str != '-') str++;
2839 assert(*str == '-'); str++;
2841 /* Convert minus signs and spaces in the remaining string into
2844 if (*str == '-' || *str == ' ')
2851 * Send an appropriate SSH version string.
2853 static void ssh_send_verstring(Ssh ssh, const char *protoname, char *svers)
2857 if (ssh->version == 2) {
2859 * Construct a v2 version string.
2861 verstring = dupprintf("%s2.0-%s\015\012", protoname, sshver);
2864 * Construct a v1 version string.
2866 assert(!strcmp(protoname, "SSH-")); /* no v1 bare connection protocol */
2867 verstring = dupprintf("SSH-%s-%s\012",
2868 (ssh_versioncmp(svers, "1.5") <= 0 ?
2873 ssh_fix_verstring(verstring + strlen(protoname));
2875 if (ssh->version == 2) {
2878 * Record our version string.
2880 len = strcspn(verstring, "\015\012");
2881 ssh->v_c = snewn(len + 1, char);
2882 memcpy(ssh->v_c, verstring, len);
2886 logeventf(ssh, "We claim version: %.*s",
2887 strcspn(verstring, "\015\012"), verstring);
2888 s_write(ssh, verstring, strlen(verstring));
2892 static int do_ssh_init(Ssh ssh, unsigned char c)
2894 static const char protoname[] = "SSH-";
2896 struct do_ssh_init_state {
2905 crState(do_ssh_init_state);
2909 /* Search for a line beginning with the protocol name prefix in
2912 for (s->i = 0; protoname[s->i]; s->i++) {
2913 if ((char)c != protoname[s->i]) goto no;
2923 s->vstrsize = sizeof(protoname) + 16;
2924 s->vstring = snewn(s->vstrsize, char);
2925 strcpy(s->vstring, protoname);
2926 s->vslen = strlen(protoname);
2929 if (s->vslen >= s->vstrsize - 1) {
2931 s->vstring = sresize(s->vstring, s->vstrsize, char);
2933 s->vstring[s->vslen++] = c;
2936 s->version[s->i] = '\0';
2938 } else if (s->i < sizeof(s->version) - 1)
2939 s->version[s->i++] = c;
2940 } else if (c == '\012')
2942 crReturn(1); /* get another char */
2945 ssh->agentfwd_enabled = FALSE;
2946 ssh->rdpkt2_state.incoming_sequence = 0;
2948 s->vstring[s->vslen] = 0;
2949 s->vstring[strcspn(s->vstring, "\015\012")] = '\0';/* remove EOL chars */
2950 logeventf(ssh, "Server version: %s", s->vstring);
2951 ssh_detect_bugs(ssh, s->vstring);
2954 * Decide which SSH protocol version to support.
2957 /* Anything strictly below "2.0" means protocol 1 is supported. */
2958 s->proto1 = ssh_versioncmp(s->version, "2.0") < 0;
2959 /* Anything greater or equal to "1.99" means protocol 2 is supported. */
2960 s->proto2 = ssh_versioncmp(s->version, "1.99") >= 0;
2962 if (conf_get_int(ssh->conf, CONF_sshprot) == 0 && !s->proto1) {
2963 bombout(("SSH protocol version 1 required by user but not provided by server"));
2966 if (conf_get_int(ssh->conf, CONF_sshprot) == 3 && !s->proto2) {
2967 bombout(("SSH protocol version 2 required by user but not provided by server"));
2971 if (s->proto2 && (conf_get_int(ssh->conf, CONF_sshprot) >= 2 || !s->proto1))
2976 logeventf(ssh, "Using SSH protocol version %d", ssh->version);
2978 /* Send the version string, if we haven't already */
2979 if (conf_get_int(ssh->conf, CONF_sshprot) != 3)
2980 ssh_send_verstring(ssh, protoname, s->version);
2982 if (ssh->version == 2) {
2985 * Record their version string.
2987 len = strcspn(s->vstring, "\015\012");
2988 ssh->v_s = snewn(len + 1, char);
2989 memcpy(ssh->v_s, s->vstring, len);
2993 * Initialise SSH-2 protocol.
2995 ssh->protocol = ssh2_protocol;
2996 ssh2_protocol_setup(ssh);
2997 ssh->s_rdpkt = ssh2_rdpkt;
3000 * Initialise SSH-1 protocol.
3002 ssh->protocol = ssh1_protocol;
3003 ssh1_protocol_setup(ssh);
3004 ssh->s_rdpkt = ssh1_rdpkt;
3006 if (ssh->version == 2)
3007 do_ssh2_transport(ssh, NULL, -1, NULL);
3009 update_specials_menu(ssh->frontend);
3010 ssh->state = SSH_STATE_BEFORE_SIZE;
3011 ssh->pinger = pinger_new(ssh->conf, &ssh_backend, ssh);
3018 static int do_ssh_connection_init(Ssh ssh, unsigned char c)
3021 * Ordinary SSH begins with the banner "SSH-x.y-...". This is just
3022 * the ssh-connection part, extracted and given a trivial binary
3023 * packet protocol, so we replace 'SSH-' at the start with a new
3024 * name. In proper SSH style (though of course this part of the
3025 * proper SSH protocol _isn't_ subject to this kind of
3026 * DNS-domain-based extension), we define the new name in our
3029 static const char protoname[] =
3030 "SSHCONNECTION@putty.projects.tartarus.org-";
3032 struct do_ssh_connection_init_state {
3040 crState(do_ssh_connection_init_state);
3044 /* Search for a line beginning with the protocol name prefix in
3047 for (s->i = 0; protoname[s->i]; s->i++) {
3048 if ((char)c != protoname[s->i]) goto no;
3058 s->vstrsize = sizeof(protoname) + 16;
3059 s->vstring = snewn(s->vstrsize, char);
3060 strcpy(s->vstring, protoname);
3061 s->vslen = strlen(protoname);
3064 if (s->vslen >= s->vstrsize - 1) {
3066 s->vstring = sresize(s->vstring, s->vstrsize, char);
3068 s->vstring[s->vslen++] = c;
3071 s->version[s->i] = '\0';
3073 } else if (s->i < sizeof(s->version) - 1)
3074 s->version[s->i++] = c;
3075 } else if (c == '\012')
3077 crReturn(1); /* get another char */
3080 ssh->agentfwd_enabled = FALSE;
3081 ssh->rdpkt2_bare_state.incoming_sequence = 0;
3083 s->vstring[s->vslen] = 0;
3084 s->vstring[strcspn(s->vstring, "\015\012")] = '\0';/* remove EOL chars */
3085 logeventf(ssh, "Server version: %s", s->vstring);
3086 ssh_detect_bugs(ssh, s->vstring);
3089 * Decide which SSH protocol version to support. This is easy in
3090 * bare ssh-connection mode: only 2.0 is legal.
3092 if (ssh_versioncmp(s->version, "2.0") < 0) {
3093 bombout(("Server announces compatibility with SSH-1 in bare ssh-connection protocol"));
3096 if (conf_get_int(ssh->conf, CONF_sshprot) == 0) {
3097 bombout(("Bare ssh-connection protocol cannot be run in SSH-1-only mode"));
3103 logeventf(ssh, "Using bare ssh-connection protocol");
3105 /* Send the version string, if we haven't already */
3106 ssh_send_verstring(ssh, protoname, s->version);
3109 * Initialise bare connection protocol.
3111 ssh->protocol = ssh2_bare_connection_protocol;
3112 ssh2_bare_connection_protocol_setup(ssh);
3113 ssh->s_rdpkt = ssh2_bare_connection_rdpkt;
3115 update_specials_menu(ssh->frontend);
3116 ssh->state = SSH_STATE_BEFORE_SIZE;
3117 ssh->pinger = pinger_new(ssh->conf, &ssh_backend, ssh);
3120 * Get authconn (really just conn) under way.
3122 do_ssh2_authconn(ssh, NULL, 0, NULL);
3129 static void ssh_process_incoming_data(Ssh ssh,
3130 unsigned char **data, int *datalen)
3132 struct Packet *pktin;
3134 pktin = ssh->s_rdpkt(ssh, data, datalen);
3136 ssh->protocol(ssh, NULL, 0, pktin);
3137 ssh_free_packet(pktin);
3141 static void ssh_queue_incoming_data(Ssh ssh,
3142 unsigned char **data, int *datalen)
3144 bufchain_add(&ssh->queued_incoming_data, *data, *datalen);
3149 static void ssh_process_queued_incoming_data(Ssh ssh)
3152 unsigned char *data;
3155 while (!ssh->frozen && bufchain_size(&ssh->queued_incoming_data)) {
3156 bufchain_prefix(&ssh->queued_incoming_data, &vdata, &len);
3160 while (!ssh->frozen && len > 0)
3161 ssh_process_incoming_data(ssh, &data, &len);
3164 bufchain_consume(&ssh->queued_incoming_data, origlen - len);
3168 static void ssh_set_frozen(Ssh ssh, int frozen)
3171 sk_set_frozen(ssh->s, frozen);
3172 ssh->frozen = frozen;
3175 static void ssh_gotdata(Ssh ssh, unsigned char *data, int datalen)
3177 /* Log raw data, if we're in that mode. */
3179 log_packet(ssh->logctx, PKT_INCOMING, -1, NULL, data, datalen,
3180 0, NULL, NULL, 0, NULL);
3182 crBegin(ssh->ssh_gotdata_crstate);
3185 * To begin with, feed the characters one by one to the
3186 * protocol initialisation / selection function do_ssh_init().
3187 * When that returns 0, we're done with the initial greeting
3188 * exchange and can move on to packet discipline.
3191 int ret; /* need not be kept across crReturn */
3193 crReturnV; /* more data please */
3194 ret = ssh->do_ssh_init(ssh, *data);
3202 * We emerge from that loop when the initial negotiation is
3203 * over and we have selected an s_rdpkt function. Now pass
3204 * everything to s_rdpkt, and then pass the resulting packets
3205 * to the proper protocol handler.
3209 while (bufchain_size(&ssh->queued_incoming_data) > 0 || datalen > 0) {
3211 ssh_queue_incoming_data(ssh, &data, &datalen);
3212 /* This uses up all data and cannot cause anything interesting
3213 * to happen; indeed, for anything to happen at all, we must
3214 * return, so break out. */
3216 } else if (bufchain_size(&ssh->queued_incoming_data) > 0) {
3217 /* This uses up some or all data, and may freeze the
3219 ssh_process_queued_incoming_data(ssh);
3221 /* This uses up some or all data, and may freeze the
3223 ssh_process_incoming_data(ssh, &data, &datalen);
3225 /* FIXME this is probably EBW. */
3226 if (ssh->state == SSH_STATE_CLOSED)
3229 /* We're out of data. Go and get some more. */
3235 static int ssh_do_close(Ssh ssh, int notify_exit)
3238 struct ssh_channel *c;
3240 ssh->state = SSH_STATE_CLOSED;
3241 expire_timer_context(ssh);
3246 notify_remote_exit(ssh->frontend);
3251 * Now we must shut down any port- and X-forwarded channels going
3252 * through this connection.
3254 if (ssh->channels) {
3255 while (NULL != (c = index234(ssh->channels, 0))) {
3258 x11_close(c->u.x11.xconn);
3261 case CHAN_SOCKDATA_DORMANT:
3262 pfd_close(c->u.pfd.pf);
3265 del234(ssh->channels, c); /* moving next one to index 0 */
3266 if (ssh->version == 2)
3267 bufchain_clear(&c->v.v2.outbuffer);
3272 * Go through port-forwardings, and close any associated
3273 * listening sockets.
3275 if (ssh->portfwds) {
3276 struct ssh_portfwd *pf;
3277 while (NULL != (pf = index234(ssh->portfwds, 0))) {
3278 /* Dispose of any listening socket. */
3280 pfl_terminate(pf->local);
3281 del234(ssh->portfwds, pf); /* moving next one to index 0 */
3284 freetree234(ssh->portfwds);
3285 ssh->portfwds = NULL;
3291 static void ssh_socket_log(Plug plug, int type, SockAddr addr, int port,
3292 const char *error_msg, int error_code)
3294 Ssh ssh = (Ssh) plug;
3295 char addrbuf[256], *msg;
3297 if (ssh->attempting_connshare) {
3299 * While we're attempting connection sharing, don't loudly log
3300 * everything that happens. Real TCP connections need to be
3301 * logged when we _start_ trying to connect, because it might
3302 * be ages before they respond if something goes wrong; but
3303 * connection sharing is local and quick to respond, and it's
3304 * sufficient to simply wait and see whether it worked
3308 sk_getaddr(addr, addrbuf, lenof(addrbuf));
3311 if (sk_addr_needs_port(addr)) {
3312 msg = dupprintf("Connecting to %s port %d", addrbuf, port);
3314 msg = dupprintf("Connecting to %s", addrbuf);
3317 msg = dupprintf("Failed to connect to %s: %s", addrbuf, error_msg);
3325 void ssh_connshare_log(Ssh ssh, int event, const char *logtext,
3326 const char *ds_err, const char *us_err)
3328 if (event == SHARE_NONE) {
3329 /* In this case, 'logtext' is an error message indicating a
3330 * reason why connection sharing couldn't be set up _at all_.
3331 * Failing that, ds_err and us_err indicate why we couldn't be
3332 * a downstream and an upstream respectively. */
3334 logeventf(ssh, "Could not set up connection sharing: %s", logtext);
3337 logeventf(ssh, "Could not set up connection sharing"
3338 " as downstream: %s", ds_err);
3340 logeventf(ssh, "Could not set up connection sharing"
3341 " as upstream: %s", us_err);
3343 } else if (event == SHARE_DOWNSTREAM) {
3344 /* In this case, 'logtext' is a local endpoint address */
3345 logeventf(ssh, "Using existing shared connection at %s", logtext);
3346 /* Also we should mention this in the console window to avoid
3347 * confusing users as to why this window doesn't behave the
3349 if ((flags & FLAG_VERBOSE) || (flags & FLAG_INTERACTIVE)) {
3350 c_write_str(ssh,"Reusing a shared connection to this server.\r\n");
3352 } else if (event == SHARE_UPSTREAM) {
3353 /* In this case, 'logtext' is a local endpoint address too */
3354 logeventf(ssh, "Sharing this connection at %s", logtext);
3358 static int ssh_closing(Plug plug, const char *error_msg, int error_code,
3361 Ssh ssh = (Ssh) plug;
3362 int need_notify = ssh_do_close(ssh, FALSE);
3365 if (!ssh->close_expected)
3366 error_msg = "Server unexpectedly closed network connection";
3368 error_msg = "Server closed network connection";
3371 if (ssh->close_expected && ssh->clean_exit && ssh->exitcode < 0)
3375 notify_remote_exit(ssh->frontend);
3378 logevent(error_msg);
3379 if (!ssh->close_expected || !ssh->clean_exit)
3380 connection_fatal(ssh->frontend, "%s", error_msg);
3384 static int ssh_receive(Plug plug, int urgent, char *data, int len)
3386 Ssh ssh = (Ssh) plug;
3387 ssh_gotdata(ssh, (unsigned char *)data, len);
3388 if (ssh->state == SSH_STATE_CLOSED) {
3389 ssh_do_close(ssh, TRUE);
3395 static void ssh_sent(Plug plug, int bufsize)
3397 Ssh ssh = (Ssh) plug;
3399 * If the send backlog on the SSH socket itself clears, we
3400 * should unthrottle the whole world if it was throttled.
3402 if (bufsize < SSH_MAX_BACKLOG)
3403 ssh_throttle_all(ssh, 0, bufsize);
3407 * Connect to specified host and port.
3408 * Returns an error message, or NULL on success.
3409 * Also places the canonical host name into `realhost'. It must be
3410 * freed by the caller.
3412 static const char *connect_to_host(Ssh ssh, char *host, int port,
3413 char **realhost, int nodelay, int keepalive)
3415 static const struct plug_function_table fn_table = {
3426 int addressfamily, sshprot;
3428 loghost = conf_get_str(ssh->conf, CONF_loghost);
3433 tmphost = dupstr(loghost);
3434 ssh->savedport = 22; /* default ssh port */
3437 * A colon suffix on the hostname string also lets us affect
3438 * savedport. (Unless there are multiple colons, in which case
3439 * we assume this is an unbracketed IPv6 literal.)
3441 colon = host_strrchr(tmphost, ':');
3442 if (colon && colon == host_strchr(tmphost, ':')) {
3445 ssh->savedport = atoi(colon);
3448 ssh->savedhost = host_strduptrim(tmphost);
3451 ssh->savedhost = host_strduptrim(host);
3453 port = 22; /* default ssh port */
3454 ssh->savedport = port;
3457 ssh->fn = &fn_table; /* make 'ssh' usable as a Plug */
3460 * Try connection-sharing, in case that means we don't open a
3461 * socket after all. ssh_connection_sharing_init will connect to a
3462 * previously established upstream if it can, and failing that,
3463 * establish a listening socket for _us_ to be the upstream. In
3464 * the latter case it will return NULL just as if it had done
3465 * nothing, because here we only need to care if we're a
3466 * downstream and need to do our connection setup differently.
3468 ssh->connshare = NULL;
3469 ssh->attempting_connshare = TRUE; /* affects socket logging behaviour */
3470 ssh->s = ssh_connection_sharing_init(ssh->savedhost, ssh->savedport,
3471 ssh->conf, ssh, &ssh->connshare);
3472 ssh->attempting_connshare = FALSE;
3473 if (ssh->s != NULL) {
3475 * We are a downstream.
3477 ssh->bare_connection = TRUE;
3478 ssh->do_ssh_init = do_ssh_connection_init;
3479 ssh->fullhostname = NULL;
3480 *realhost = dupstr(host); /* best we can do */
3483 * We're not a downstream, so open a normal socket.
3485 ssh->do_ssh_init = do_ssh_init;
3490 addressfamily = conf_get_int(ssh->conf, CONF_addressfamily);
3491 logeventf(ssh, "Looking up host \"%s\"%s", host,
3492 (addressfamily == ADDRTYPE_IPV4 ? " (IPv4)" :
3493 (addressfamily == ADDRTYPE_IPV6 ? " (IPv6)" : "")));
3494 addr = name_lookup(host, port, realhost, ssh->conf, addressfamily);
3495 if ((err = sk_addr_error(addr)) != NULL) {
3499 ssh->fullhostname = dupstr(*realhost); /* save in case of GSSAPI */
3501 ssh->s = new_connection(addr, *realhost, port,
3502 0, 1, nodelay, keepalive,
3503 (Plug) ssh, ssh->conf);
3504 if ((err = sk_socket_error(ssh->s)) != NULL) {
3506 notify_remote_exit(ssh->frontend);
3512 * If the SSH version number's fixed, set it now, and if it's SSH-2,
3513 * send the version string too.
3515 sshprot = conf_get_int(ssh->conf, CONF_sshprot);
3518 if (sshprot == 3 && !ssh->bare_connection) {
3520 ssh_send_verstring(ssh, "SSH-", NULL);
3524 * loghost, if configured, overrides realhost.
3528 *realhost = dupstr(loghost);
3535 * Throttle or unthrottle the SSH connection.
3537 static void ssh_throttle_conn(Ssh ssh, int adjust)
3539 int old_count = ssh->conn_throttle_count;
3540 ssh->conn_throttle_count += adjust;
3541 assert(ssh->conn_throttle_count >= 0);
3542 if (ssh->conn_throttle_count && !old_count) {
3543 ssh_set_frozen(ssh, 1);
3544 } else if (!ssh->conn_throttle_count && old_count) {
3545 ssh_set_frozen(ssh, 0);
3550 * Throttle or unthrottle _all_ local data streams (for when sends
3551 * on the SSH connection itself back up).
3553 static void ssh_throttle_all(Ssh ssh, int enable, int bufsize)
3556 struct ssh_channel *c;
3558 if (enable == ssh->throttled_all)
3560 ssh->throttled_all = enable;
3561 ssh->overall_bufsize = bufsize;
3564 for (i = 0; NULL != (c = index234(ssh->channels, i)); i++) {
3566 case CHAN_MAINSESSION:
3568 * This is treated separately, outside the switch.
3572 x11_override_throttle(c->u.x11.xconn, enable);
3575 /* Agent channels require no buffer management. */
3578 pfd_override_throttle(c->u.pfd.pf, enable);
3584 static void ssh_agent_callback(void *sshv, void *reply, int replylen)
3586 Ssh ssh = (Ssh) sshv;
3588 ssh->agent_response = reply;
3589 ssh->agent_response_len = replylen;
3591 if (ssh->version == 1)
3592 do_ssh1_login(ssh, NULL, -1, NULL);
3594 do_ssh2_authconn(ssh, NULL, -1, NULL);
3597 static void ssh_dialog_callback(void *sshv, int ret)
3599 Ssh ssh = (Ssh) sshv;
3601 ssh->user_response = ret;
3603 if (ssh->version == 1)
3604 do_ssh1_login(ssh, NULL, -1, NULL);
3606 do_ssh2_transport(ssh, NULL, -1, NULL);
3609 * This may have unfrozen the SSH connection, so do a
3612 ssh_process_queued_incoming_data(ssh);
3615 static void ssh_agentf_callback(void *cv, void *reply, int replylen)
3617 struct ssh_channel *c = (struct ssh_channel *)cv;
3619 void *sentreply = reply;
3621 c->u.a.outstanding_requests--;
3623 /* Fake SSH_AGENT_FAILURE. */
3624 sentreply = "\0\0\0\1\5";
3627 if (ssh->version == 2) {
3628 ssh2_add_channel_data(c, sentreply, replylen);
3631 send_packet(ssh, SSH1_MSG_CHANNEL_DATA,
3632 PKT_INT, c->remoteid,
3634 PKT_DATA, sentreply, replylen,
3640 * If we've already seen an incoming EOF but haven't sent an
3641 * outgoing one, this may be the moment to send it.
3643 if (c->u.a.outstanding_requests == 0 && (c->closes & CLOSES_RCVD_EOF))
3644 sshfwd_write_eof(c);
3648 * Client-initiated disconnection. Send a DISCONNECT if `wire_reason'
3649 * non-NULL, otherwise just close the connection. `client_reason' == NULL
3650 * => log `wire_reason'.
3652 static void ssh_disconnect(Ssh ssh, char *client_reason, char *wire_reason,
3653 int code, int clean_exit)
3657 client_reason = wire_reason;
3659 error = dupprintf("Disconnected: %s", client_reason);
3661 error = dupstr("Disconnected");
3663 if (ssh->version == 1) {
3664 send_packet(ssh, SSH1_MSG_DISCONNECT, PKT_STR, wire_reason,
3666 } else if (ssh->version == 2) {
3667 struct Packet *pktout = ssh2_pkt_init(SSH2_MSG_DISCONNECT);
3668 ssh2_pkt_adduint32(pktout, code);
3669 ssh2_pkt_addstring(pktout, wire_reason);
3670 ssh2_pkt_addstring(pktout, "en"); /* language tag */
3671 ssh2_pkt_send_noqueue(ssh, pktout);
3674 ssh->close_expected = TRUE;
3675 ssh->clean_exit = clean_exit;
3676 ssh_closing((Plug)ssh, error, 0, 0);
3680 int verify_ssh_manual_host_key(Ssh ssh, const char *fingerprint,
3681 const struct ssh_signkey *ssh2keytype,
3684 if (!conf_get_str_nthstrkey(ssh->conf, CONF_ssh_manual_hostkeys, 0)) {
3685 return -1; /* no manual keys configured */
3690 * The fingerprint string we've been given will have things
3691 * like 'ssh-rsa 2048' at the front of it. Strip those off and
3692 * narrow down to just the colon-separated hex block at the
3693 * end of the string.
3695 const char *p = strrchr(fingerprint, ' ');
3696 fingerprint = p ? p+1 : fingerprint;
3697 /* Quick sanity checks, including making sure it's in lowercase */
3698 assert(strlen(fingerprint) == 16*3 - 1);
3699 assert(fingerprint[2] == ':');
3700 assert(fingerprint[strspn(fingerprint, "0123456789abcdef:")] == 0);
3702 if (conf_get_str_str_opt(ssh->conf, CONF_ssh_manual_hostkeys,
3704 return 1; /* success */
3709 * Construct the base64-encoded public key blob and see if
3712 unsigned char *binblob;
3714 int binlen, atoms, i;
3715 binblob = ssh2keytype->public_blob(ssh2keydata, &binlen);
3716 atoms = (binlen + 2) / 3;
3717 base64blob = snewn(atoms * 4 + 1, char);
3718 for (i = 0; i < atoms; i++)
3719 base64_encode_atom(binblob + 3*i, binlen - 3*i, base64blob + 4*i);
3720 base64blob[atoms * 4] = '\0';
3722 if (conf_get_str_str_opt(ssh->conf, CONF_ssh_manual_hostkeys,
3725 return 1; /* success */
3734 * Handle the key exchange and user authentication phases.
3736 static int do_ssh1_login(Ssh ssh, unsigned char *in, int inlen,
3737 struct Packet *pktin)
3740 unsigned char cookie[8], *ptr;
3741 struct MD5Context md5c;
3742 struct do_ssh1_login_state {
3745 unsigned char *rsabuf, *keystr1, *keystr2;
3746 unsigned long supported_ciphers_mask, supported_auths_mask;
3747 int tried_publickey, tried_agent;
3748 int tis_auth_refused, ccard_auth_refused;
3749 unsigned char session_id[16];
3751 void *publickey_blob;
3752 int publickey_bloblen;
3753 char *publickey_comment;
3754 int publickey_encrypted;
3755 prompts_t *cur_prompt;
3758 unsigned char request[5], *response, *p;
3768 struct RSAKey servkey, hostkey;
3770 crState(do_ssh1_login_state);
3777 if (pktin->type != SSH1_SMSG_PUBLIC_KEY) {
3778 bombout(("Public key packet not received"));
3782 logevent("Received public keys");
3784 ptr = ssh_pkt_getdata(pktin, 8);
3786 bombout(("SSH-1 public key packet stopped before random cookie"));
3789 memcpy(cookie, ptr, 8);
3791 if (!ssh1_pkt_getrsakey(pktin, &s->servkey, &s->keystr1) ||
3792 !ssh1_pkt_getrsakey(pktin, &s->hostkey, &s->keystr2)) {
3793 bombout(("Failed to read SSH-1 public keys from public key packet"));
3798 * Log the host key fingerprint.
3802 logevent("Host key fingerprint is:");
3803 strcpy(logmsg, " ");
3804 s->hostkey.comment = NULL;
3805 rsa_fingerprint(logmsg + strlen(logmsg),
3806 sizeof(logmsg) - strlen(logmsg), &s->hostkey);
3810 ssh->v1_remote_protoflags = ssh_pkt_getuint32(pktin);
3811 s->supported_ciphers_mask = ssh_pkt_getuint32(pktin);
3812 s->supported_auths_mask = ssh_pkt_getuint32(pktin);
3813 if ((ssh->remote_bugs & BUG_CHOKES_ON_RSA))
3814 s->supported_auths_mask &= ~(1 << SSH1_AUTH_RSA);
3816 ssh->v1_local_protoflags =
3817 ssh->v1_remote_protoflags & SSH1_PROTOFLAGS_SUPPORTED;
3818 ssh->v1_local_protoflags |= SSH1_PROTOFLAG_SCREEN_NUMBER;
3821 MD5Update(&md5c, s->keystr2, s->hostkey.bytes);
3822 MD5Update(&md5c, s->keystr1, s->servkey.bytes);
3823 MD5Update(&md5c, cookie, 8);
3824 MD5Final(s->session_id, &md5c);
3826 for (i = 0; i < 32; i++)
3827 ssh->session_key[i] = random_byte();
3830 * Verify that the `bits' and `bytes' parameters match.
3832 if (s->hostkey.bits > s->hostkey.bytes * 8 ||
3833 s->servkey.bits > s->servkey.bytes * 8) {
3834 bombout(("SSH-1 public keys were badly formatted"));
3838 s->len = (s->hostkey.bytes > s->servkey.bytes ?
3839 s->hostkey.bytes : s->servkey.bytes);
3841 s->rsabuf = snewn(s->len, unsigned char);
3844 * Verify the host key.
3848 * First format the key into a string.
3850 int len = rsastr_len(&s->hostkey);
3851 char fingerprint[100];
3852 char *keystr = snewn(len, char);
3853 rsastr_fmt(keystr, &s->hostkey);
3854 rsa_fingerprint(fingerprint, sizeof(fingerprint), &s->hostkey);
3856 /* First check against manually configured host keys. */
3857 s->dlgret = verify_ssh_manual_host_key(ssh, fingerprint, NULL, NULL);
3858 if (s->dlgret == 0) { /* did not match */
3859 bombout(("Host key did not appear in manually configured list"));
3861 } else if (s->dlgret < 0) { /* none configured; use standard handling */
3862 ssh_set_frozen(ssh, 1);
3863 s->dlgret = verify_ssh_host_key(ssh->frontend,
3864 ssh->savedhost, ssh->savedport,
3865 "rsa", keystr, fingerprint,
3866 ssh_dialog_callback, ssh);
3868 if (s->dlgret < 0) {
3872 bombout(("Unexpected data from server while waiting"
3873 " for user host key response"));
3876 } while (pktin || inlen > 0);
3877 s->dlgret = ssh->user_response;
3879 ssh_set_frozen(ssh, 0);
3881 if (s->dlgret == 0) {
3882 ssh_disconnect(ssh, "User aborted at host key verification",
3889 for (i = 0; i < 32; i++) {
3890 s->rsabuf[i] = ssh->session_key[i];
3892 s->rsabuf[i] ^= s->session_id[i];
3895 if (s->hostkey.bytes > s->servkey.bytes) {
3896 ret = rsaencrypt(s->rsabuf, 32, &s->servkey);
3898 ret = rsaencrypt(s->rsabuf, s->servkey.bytes, &s->hostkey);
3900 ret = rsaencrypt(s->rsabuf, 32, &s->hostkey);
3902 ret = rsaencrypt(s->rsabuf, s->hostkey.bytes, &s->servkey);
3905 bombout(("SSH-1 public key encryptions failed due to bad formatting"));
3909 logevent("Encrypted session key");
3912 int cipher_chosen = 0, warn = 0;
3913 char *cipher_string = NULL;
3915 for (i = 0; !cipher_chosen && i < CIPHER_MAX; i++) {
3916 int next_cipher = conf_get_int_int(ssh->conf,
3917 CONF_ssh_cipherlist, i);
3918 if (next_cipher == CIPHER_WARN) {
3919 /* If/when we choose a cipher, warn about it */
3921 } else if (next_cipher == CIPHER_AES) {
3922 /* XXX Probably don't need to mention this. */
3923 logevent("AES not supported in SSH-1, skipping");
3925 switch (next_cipher) {
3926 case CIPHER_3DES: s->cipher_type = SSH_CIPHER_3DES;
3927 cipher_string = "3DES"; break;
3928 case CIPHER_BLOWFISH: s->cipher_type = SSH_CIPHER_BLOWFISH;
3929 cipher_string = "Blowfish"; break;
3930 case CIPHER_DES: s->cipher_type = SSH_CIPHER_DES;
3931 cipher_string = "single-DES"; break;
3933 if (s->supported_ciphers_mask & (1 << s->cipher_type))
3937 if (!cipher_chosen) {
3938 if ((s->supported_ciphers_mask & (1 << SSH_CIPHER_3DES)) == 0)
3939 bombout(("Server violates SSH-1 protocol by not "
3940 "supporting 3DES encryption"));
3942 /* shouldn't happen */
3943 bombout(("No supported ciphers found"));
3947 /* Warn about chosen cipher if necessary. */
3949 ssh_set_frozen(ssh, 1);
3950 s->dlgret = askalg(ssh->frontend, "cipher", cipher_string,
3951 ssh_dialog_callback, ssh);
3952 if (s->dlgret < 0) {
3956 bombout(("Unexpected data from server while waiting"
3957 " for user response"));
3960 } while (pktin || inlen > 0);
3961 s->dlgret = ssh->user_response;
3963 ssh_set_frozen(ssh, 0);
3964 if (s->dlgret == 0) {
3965 ssh_disconnect(ssh, "User aborted at cipher warning", NULL,
3972 switch (s->cipher_type) {
3973 case SSH_CIPHER_3DES:
3974 logevent("Using 3DES encryption");
3976 case SSH_CIPHER_DES:
3977 logevent("Using single-DES encryption");
3979 case SSH_CIPHER_BLOWFISH:
3980 logevent("Using Blowfish encryption");
3984 send_packet(ssh, SSH1_CMSG_SESSION_KEY,
3985 PKT_CHAR, s->cipher_type,
3986 PKT_DATA, cookie, 8,
3987 PKT_CHAR, (s->len * 8) >> 8, PKT_CHAR, (s->len * 8) & 0xFF,
3988 PKT_DATA, s->rsabuf, s->len,
3989 PKT_INT, ssh->v1_local_protoflags, PKT_END);
3991 logevent("Trying to enable encryption...");
3995 ssh->cipher = (s->cipher_type == SSH_CIPHER_BLOWFISH ? &ssh_blowfish_ssh1 :
3996 s->cipher_type == SSH_CIPHER_DES ? &ssh_des :
3998 ssh->v1_cipher_ctx = ssh->cipher->make_context();
3999 ssh->cipher->sesskey(ssh->v1_cipher_ctx, ssh->session_key);
4000 logeventf(ssh, "Initialised %s encryption", ssh->cipher->text_name);
4002 ssh->crcda_ctx = crcda_make_context();
4003 logevent("Installing CRC compensation attack detector");
4005 if (s->servkey.modulus) {
4006 sfree(s->servkey.modulus);
4007 s->servkey.modulus = NULL;
4009 if (s->servkey.exponent) {
4010 sfree(s->servkey.exponent);
4011 s->servkey.exponent = NULL;
4013 if (s->hostkey.modulus) {
4014 sfree(s->hostkey.modulus);
4015 s->hostkey.modulus = NULL;
4017 if (s->hostkey.exponent) {
4018 sfree(s->hostkey.exponent);
4019 s->hostkey.exponent = NULL;
4023 if (pktin->type != SSH1_SMSG_SUCCESS) {
4024 bombout(("Encryption not successfully enabled"));
4028 logevent("Successfully started encryption");
4030 fflush(stdout); /* FIXME eh? */
4032 if ((ssh->username = get_remote_username(ssh->conf)) == NULL) {
4033 int ret; /* need not be kept over crReturn */
4034 s->cur_prompt = new_prompts(ssh->frontend);
4035 s->cur_prompt->to_server = TRUE;
4036 s->cur_prompt->name = dupstr("SSH login name");
4037 add_prompt(s->cur_prompt, dupstr("login as: "), TRUE);
4038 ret = get_userpass_input(s->cur_prompt, NULL, 0);
4041 crWaitUntil(!pktin);
4042 ret = get_userpass_input(s->cur_prompt, in, inlen);
4047 * Failed to get a username. Terminate.
4049 free_prompts(s->cur_prompt);
4050 ssh_disconnect(ssh, "No username provided", NULL, 0, TRUE);
4053 ssh->username = dupstr(s->cur_prompt->prompts[0]->result);
4054 free_prompts(s->cur_prompt);
4057 send_packet(ssh, SSH1_CMSG_USER, PKT_STR, ssh->username, PKT_END);
4059 char *userlog = dupprintf("Sent username \"%s\"", ssh->username);
4061 if (flags & FLAG_INTERACTIVE &&
4062 (!((flags & FLAG_STDERR) && (flags & FLAG_VERBOSE)))) {
4063 c_write_str(ssh, userlog);
4064 c_write_str(ssh, "\r\n");
4072 if ((s->supported_auths_mask & (1 << SSH1_AUTH_RSA)) == 0) {
4073 /* We must not attempt PK auth. Pretend we've already tried it. */
4074 s->tried_publickey = s->tried_agent = 1;
4076 s->tried_publickey = s->tried_agent = 0;
4078 s->tis_auth_refused = s->ccard_auth_refused = 0;
4080 * Load the public half of any configured keyfile for later use.
4082 s->keyfile = conf_get_filename(ssh->conf, CONF_keyfile);
4083 if (!filename_is_null(s->keyfile)) {
4085 logeventf(ssh, "Reading private key file \"%.150s\"",
4086 filename_to_str(s->keyfile));
4087 keytype = key_type(s->keyfile);
4088 if (keytype == SSH_KEYTYPE_SSH1) {
4090 if (rsakey_pubblob(s->keyfile,
4091 &s->publickey_blob, &s->publickey_bloblen,
4092 &s->publickey_comment, &error)) {
4093 s->publickey_encrypted = rsakey_encrypted(s->keyfile,
4097 logeventf(ssh, "Unable to load private key (%s)", error);
4098 msgbuf = dupprintf("Unable to load private key file "
4099 "\"%.150s\" (%s)\r\n",
4100 filename_to_str(s->keyfile),
4102 c_write_str(ssh, msgbuf);
4104 s->publickey_blob = NULL;
4108 logeventf(ssh, "Unable to use this key file (%s)",
4109 key_type_to_str(keytype));
4110 msgbuf = dupprintf("Unable to use key file \"%.150s\""
4112 filename_to_str(s->keyfile),
4113 key_type_to_str(keytype));
4114 c_write_str(ssh, msgbuf);
4116 s->publickey_blob = NULL;
4119 s->publickey_blob = NULL;
4121 while (pktin->type == SSH1_SMSG_FAILURE) {
4122 s->pwpkt_type = SSH1_CMSG_AUTH_PASSWORD;
4124 if (conf_get_int(ssh->conf, CONF_tryagent) && agent_exists() && !s->tried_agent) {
4126 * Attempt RSA authentication using Pageant.
4132 logevent("Pageant is running. Requesting keys.");
4134 /* Request the keys held by the agent. */
4135 PUT_32BIT(s->request, 1);
4136 s->request[4] = SSH1_AGENTC_REQUEST_RSA_IDENTITIES;
4137 if (!agent_query(s->request, 5, &r, &s->responselen,
4138 ssh_agent_callback, ssh)) {
4142 bombout(("Unexpected data from server while waiting"
4143 " for agent response"));
4146 } while (pktin || inlen > 0);
4147 r = ssh->agent_response;
4148 s->responselen = ssh->agent_response_len;
4150 s->response = (unsigned char *) r;
4151 if (s->response && s->responselen >= 5 &&
4152 s->response[4] == SSH1_AGENT_RSA_IDENTITIES_ANSWER) {
4153 s->p = s->response + 5;
4154 s->nkeys = toint(GET_32BIT(s->p));
4156 logeventf(ssh, "Pageant reported negative key count %d",
4161 logeventf(ssh, "Pageant has %d SSH-1 keys", s->nkeys);
4162 for (s->keyi = 0; s->keyi < s->nkeys; s->keyi++) {
4163 unsigned char *pkblob = s->p;
4167 do { /* do while (0) to make breaking easy */
4168 n = ssh1_read_bignum
4169 (s->p, toint(s->responselen-(s->p-s->response)),
4174 n = ssh1_read_bignum
4175 (s->p, toint(s->responselen-(s->p-s->response)),
4180 if (s->responselen - (s->p-s->response) < 4)
4182 s->commentlen = toint(GET_32BIT(s->p));
4184 if (s->commentlen < 0 ||
4185 toint(s->responselen - (s->p-s->response)) <
4188 s->commentp = (char *)s->p;
4189 s->p += s->commentlen;
4193 logevent("Pageant key list packet was truncated");
4197 if (s->publickey_blob) {
4198 if (!memcmp(pkblob, s->publickey_blob,
4199 s->publickey_bloblen)) {
4200 logeventf(ssh, "Pageant key #%d matches "
4201 "configured key file", s->keyi);
4202 s->tried_publickey = 1;
4204 /* Skip non-configured key */
4207 logeventf(ssh, "Trying Pageant key #%d", s->keyi);
4208 send_packet(ssh, SSH1_CMSG_AUTH_RSA,
4209 PKT_BIGNUM, s->key.modulus, PKT_END);
4211 if (pktin->type != SSH1_SMSG_AUTH_RSA_CHALLENGE) {
4212 logevent("Key refused");
4215 logevent("Received RSA challenge");
4216 if ((s->challenge = ssh1_pkt_getmp(pktin)) == NULL) {
4217 bombout(("Server's RSA challenge was badly formatted"));
4222 char *agentreq, *q, *ret;
4225 len = 1 + 4; /* message type, bit count */
4226 len += ssh1_bignum_length(s->key.exponent);
4227 len += ssh1_bignum_length(s->key.modulus);
4228 len += ssh1_bignum_length(s->challenge);
4229 len += 16; /* session id */
4230 len += 4; /* response format */
4231 agentreq = snewn(4 + len, char);
4232 PUT_32BIT(agentreq, len);
4234 *q++ = SSH1_AGENTC_RSA_CHALLENGE;
4235 PUT_32BIT(q, bignum_bitcount(s->key.modulus));
4237 q += ssh1_write_bignum(q, s->key.exponent);
4238 q += ssh1_write_bignum(q, s->key.modulus);
4239 q += ssh1_write_bignum(q, s->challenge);
4240 memcpy(q, s->session_id, 16);
4242 PUT_32BIT(q, 1); /* response format */
4243 if (!agent_query(agentreq, len + 4, &vret, &retlen,
4244 ssh_agent_callback, ssh)) {
4249 bombout(("Unexpected data from server"
4250 " while waiting for agent"
4254 } while (pktin || inlen > 0);
4255 vret = ssh->agent_response;
4256 retlen = ssh->agent_response_len;
4261 if (ret[4] == SSH1_AGENT_RSA_RESPONSE) {
4262 logevent("Sending Pageant's response");
4263 send_packet(ssh, SSH1_CMSG_AUTH_RSA_RESPONSE,
4264 PKT_DATA, ret + 5, 16,
4268 if (pktin->type == SSH1_SMSG_SUCCESS) {
4270 ("Pageant's response accepted");
4271 if (flags & FLAG_VERBOSE) {
4272 c_write_str(ssh, "Authenticated using"
4274 c_write(ssh, s->commentp,
4276 c_write_str(ssh, "\" from agent\r\n");
4281 ("Pageant's response not accepted");
4284 ("Pageant failed to answer challenge");
4288 logevent("No reply received from Pageant");
4291 freebn(s->key.exponent);
4292 freebn(s->key.modulus);
4293 freebn(s->challenge);
4298 if (s->publickey_blob && !s->tried_publickey)
4299 logevent("Configured key file not in Pageant");
4301 logevent("Failed to get reply from Pageant");
4306 if (s->publickey_blob && !s->tried_publickey) {
4308 * Try public key authentication with the specified
4311 int got_passphrase; /* need not be kept over crReturn */
4312 if (flags & FLAG_VERBOSE)
4313 c_write_str(ssh, "Trying public key authentication.\r\n");
4314 s->keyfile = conf_get_filename(ssh->conf, CONF_keyfile);
4315 logeventf(ssh, "Trying public key \"%s\"",
4316 filename_to_str(s->keyfile));
4317 s->tried_publickey = 1;
4318 got_passphrase = FALSE;
4319 while (!got_passphrase) {
4321 * Get a passphrase, if necessary.
4323 char *passphrase = NULL; /* only written after crReturn */
4325 if (!s->publickey_encrypted) {
4326 if (flags & FLAG_VERBOSE)
4327 c_write_str(ssh, "No passphrase required.\r\n");
4330 int ret; /* need not be kept over crReturn */
4331 s->cur_prompt = new_prompts(ssh->frontend);
4332 s->cur_prompt->to_server = FALSE;
4333 s->cur_prompt->name = dupstr("SSH key passphrase");
4334 add_prompt(s->cur_prompt,
4335 dupprintf("Passphrase for key \"%.100s\": ",
4336 s->publickey_comment), FALSE);
4337 ret = get_userpass_input(s->cur_prompt, NULL, 0);
4340 crWaitUntil(!pktin);
4341 ret = get_userpass_input(s->cur_prompt, in, inlen);
4345 /* Failed to get a passphrase. Terminate. */
4346 free_prompts(s->cur_prompt);
4347 ssh_disconnect(ssh, NULL, "Unable to authenticate",
4351 passphrase = dupstr(s->cur_prompt->prompts[0]->result);
4352 free_prompts(s->cur_prompt);
4355 * Try decrypting key with passphrase.
4357 s->keyfile = conf_get_filename(ssh->conf, CONF_keyfile);
4358 ret = loadrsakey(s->keyfile, &s->key, passphrase,
4361 smemclr(passphrase, strlen(passphrase));
4365 /* Correct passphrase. */
4366 got_passphrase = TRUE;
4367 } else if (ret == 0) {
4368 c_write_str(ssh, "Couldn't load private key from ");
4369 c_write_str(ssh, filename_to_str(s->keyfile));
4370 c_write_str(ssh, " (");
4371 c_write_str(ssh, error);
4372 c_write_str(ssh, ").\r\n");
4373 got_passphrase = FALSE;
4374 break; /* go and try something else */
4375 } else if (ret == -1) {
4376 c_write_str(ssh, "Wrong passphrase.\r\n"); /* FIXME */
4377 got_passphrase = FALSE;
4380 assert(0 && "unexpected return from loadrsakey()");
4381 got_passphrase = FALSE; /* placate optimisers */
4385 if (got_passphrase) {
4388 * Send a public key attempt.
4390 send_packet(ssh, SSH1_CMSG_AUTH_RSA,
4391 PKT_BIGNUM, s->key.modulus, PKT_END);
4394 if (pktin->type == SSH1_SMSG_FAILURE) {
4395 c_write_str(ssh, "Server refused our public key.\r\n");
4396 continue; /* go and try something else */
4398 if (pktin->type != SSH1_SMSG_AUTH_RSA_CHALLENGE) {
4399 bombout(("Bizarre response to offer of public key"));
4405 unsigned char buffer[32];
4406 Bignum challenge, response;
4408 if ((challenge = ssh1_pkt_getmp(pktin)) == NULL) {
4409 bombout(("Server's RSA challenge was badly formatted"));
4412 response = rsadecrypt(challenge, &s->key);
4413 freebn(s->key.private_exponent);/* burn the evidence */
4415 for (i = 0; i < 32; i++) {
4416 buffer[i] = bignum_byte(response, 31 - i);
4420 MD5Update(&md5c, buffer, 32);
4421 MD5Update(&md5c, s->session_id, 16);
4422 MD5Final(buffer, &md5c);
4424 send_packet(ssh, SSH1_CMSG_AUTH_RSA_RESPONSE,
4425 PKT_DATA, buffer, 16, PKT_END);
4432 if (pktin->type == SSH1_SMSG_FAILURE) {
4433 if (flags & FLAG_VERBOSE)
4434 c_write_str(ssh, "Failed to authenticate with"
4435 " our public key.\r\n");
4436 continue; /* go and try something else */
4437 } else if (pktin->type != SSH1_SMSG_SUCCESS) {
4438 bombout(("Bizarre response to RSA authentication response"));
4442 break; /* we're through! */
4448 * Otherwise, try various forms of password-like authentication.
4450 s->cur_prompt = new_prompts(ssh->frontend);
4452 if (conf_get_int(ssh->conf, CONF_try_tis_auth) &&
4453 (s->supported_auths_mask & (1 << SSH1_AUTH_TIS)) &&
4454 !s->tis_auth_refused) {
4455 s->pwpkt_type = SSH1_CMSG_AUTH_TIS_RESPONSE;
4456 logevent("Requested TIS authentication");
4457 send_packet(ssh, SSH1_CMSG_AUTH_TIS, PKT_END);
4459 if (pktin->type != SSH1_SMSG_AUTH_TIS_CHALLENGE) {
4460 logevent("TIS authentication declined");
4461 if (flags & FLAG_INTERACTIVE)
4462 c_write_str(ssh, "TIS authentication refused.\r\n");
4463 s->tis_auth_refused = 1;
4468 char *instr_suf, *prompt;
4470 ssh_pkt_getstring(pktin, &challenge, &challengelen);
4472 bombout(("TIS challenge packet was badly formed"));
4475 logevent("Received TIS challenge");
4476 s->cur_prompt->to_server = TRUE;
4477 s->cur_prompt->name = dupstr("SSH TIS authentication");
4478 /* Prompt heuristic comes from OpenSSH */
4479 if (memchr(challenge, '\n', challengelen)) {
4480 instr_suf = dupstr("");
4481 prompt = dupprintf("%.*s", challengelen, challenge);
4483 instr_suf = dupprintf("%.*s", challengelen, challenge);
4484 prompt = dupstr("Response: ");
4486 s->cur_prompt->instruction =
4487 dupprintf("Using TIS authentication.%s%s",
4488 (*instr_suf) ? "\n" : "",
4490 s->cur_prompt->instr_reqd = TRUE;
4491 add_prompt(s->cur_prompt, prompt, FALSE);
4495 if (conf_get_int(ssh->conf, CONF_try_tis_auth) &&
4496 (s->supported_auths_mask & (1 << SSH1_AUTH_CCARD)) &&
4497 !s->ccard_auth_refused) {
4498 s->pwpkt_type = SSH1_CMSG_AUTH_CCARD_RESPONSE;
4499 logevent("Requested CryptoCard authentication");
4500 send_packet(ssh, SSH1_CMSG_AUTH_CCARD, PKT_END);
4502 if (pktin->type != SSH1_SMSG_AUTH_CCARD_CHALLENGE) {
4503 logevent("CryptoCard authentication declined");
4504 c_write_str(ssh, "CryptoCard authentication refused.\r\n");
4505 s->ccard_auth_refused = 1;
4510 char *instr_suf, *prompt;
4512 ssh_pkt_getstring(pktin, &challenge, &challengelen);
4514 bombout(("CryptoCard challenge packet was badly formed"));
4517 logevent("Received CryptoCard challenge");
4518 s->cur_prompt->to_server = TRUE;
4519 s->cur_prompt->name = dupstr("SSH CryptoCard authentication");
4520 s->cur_prompt->name_reqd = FALSE;
4521 /* Prompt heuristic comes from OpenSSH */
4522 if (memchr(challenge, '\n', challengelen)) {
4523 instr_suf = dupstr("");
4524 prompt = dupprintf("%.*s", challengelen, challenge);
4526 instr_suf = dupprintf("%.*s", challengelen, challenge);
4527 prompt = dupstr("Response: ");
4529 s->cur_prompt->instruction =
4530 dupprintf("Using CryptoCard authentication.%s%s",
4531 (*instr_suf) ? "\n" : "",
4533 s->cur_prompt->instr_reqd = TRUE;
4534 add_prompt(s->cur_prompt, prompt, FALSE);
4538 if (s->pwpkt_type == SSH1_CMSG_AUTH_PASSWORD) {
4539 if ((s->supported_auths_mask & (1 << SSH1_AUTH_PASSWORD)) == 0) {
4540 bombout(("No supported authentication methods available"));
4543 s->cur_prompt->to_server = TRUE;
4544 s->cur_prompt->name = dupstr("SSH password");
4545 add_prompt(s->cur_prompt, dupprintf("%s@%s's password: ",
4546 ssh->username, ssh->savedhost),
4551 * Show password prompt, having first obtained it via a TIS
4552 * or CryptoCard exchange if we're doing TIS or CryptoCard
4556 int ret; /* need not be kept over crReturn */
4557 ret = get_userpass_input(s->cur_prompt, NULL, 0);
4560 crWaitUntil(!pktin);
4561 ret = get_userpass_input(s->cur_prompt, in, inlen);
4566 * Failed to get a password (for example
4567 * because one was supplied on the command line
4568 * which has already failed to work). Terminate.
4570 free_prompts(s->cur_prompt);
4571 ssh_disconnect(ssh, NULL, "Unable to authenticate", 0, TRUE);
4576 if (s->pwpkt_type == SSH1_CMSG_AUTH_PASSWORD) {
4578 * Defence against traffic analysis: we send a
4579 * whole bunch of packets containing strings of
4580 * different lengths. One of these strings is the
4581 * password, in a SSH1_CMSG_AUTH_PASSWORD packet.
4582 * The others are all random data in
4583 * SSH1_MSG_IGNORE packets. This way a passive
4584 * listener can't tell which is the password, and
4585 * hence can't deduce the password length.
4587 * Anybody with a password length greater than 16
4588 * bytes is going to have enough entropy in their
4589 * password that a listener won't find it _that_
4590 * much help to know how long it is. So what we'll
4593 * - if password length < 16, we send 15 packets
4594 * containing string lengths 1 through 15
4596 * - otherwise, we let N be the nearest multiple
4597 * of 8 below the password length, and send 8
4598 * packets containing string lengths N through
4599 * N+7. This won't obscure the order of
4600 * magnitude of the password length, but it will
4601 * introduce a bit of extra uncertainty.
4603 * A few servers can't deal with SSH1_MSG_IGNORE, at
4604 * least in this context. For these servers, we need
4605 * an alternative defence. We make use of the fact
4606 * that the password is interpreted as a C string:
4607 * so we can append a NUL, then some random data.
4609 * A few servers can deal with neither SSH1_MSG_IGNORE
4610 * here _nor_ a padded password string.
4611 * For these servers we are left with no defences
4612 * against password length sniffing.
4614 if (!(ssh->remote_bugs & BUG_CHOKES_ON_SSH1_IGNORE) &&
4615 !(ssh->remote_bugs & BUG_NEEDS_SSH1_PLAIN_PASSWORD)) {
4617 * The server can deal with SSH1_MSG_IGNORE, so
4618 * we can use the primary defence.
4620 int bottom, top, pwlen, i;
4623 pwlen = strlen(s->cur_prompt->prompts[0]->result);
4625 bottom = 0; /* zero length passwords are OK! :-) */
4628 bottom = pwlen & ~7;
4632 assert(pwlen >= bottom && pwlen <= top);
4634 randomstr = snewn(top + 1, char);
4636 for (i = bottom; i <= top; i++) {
4638 defer_packet(ssh, s->pwpkt_type,
4639 PKT_STR,s->cur_prompt->prompts[0]->result,
4642 for (j = 0; j < i; j++) {
4644 randomstr[j] = random_byte();
4645 } while (randomstr[j] == '\0');
4647 randomstr[i] = '\0';
4648 defer_packet(ssh, SSH1_MSG_IGNORE,
4649 PKT_STR, randomstr, PKT_END);
4652 logevent("Sending password with camouflage packets");
4653 ssh_pkt_defersend(ssh);
4656 else if (!(ssh->remote_bugs & BUG_NEEDS_SSH1_PLAIN_PASSWORD)) {
4658 * The server can't deal with SSH1_MSG_IGNORE
4659 * but can deal with padded passwords, so we
4660 * can use the secondary defence.
4666 len = strlen(s->cur_prompt->prompts[0]->result);
4667 if (len < sizeof(string)) {
4669 strcpy(string, s->cur_prompt->prompts[0]->result);
4670 len++; /* cover the zero byte */
4671 while (len < sizeof(string)) {
4672 string[len++] = (char) random_byte();
4675 ss = s->cur_prompt->prompts[0]->result;
4677 logevent("Sending length-padded password");
4678 send_packet(ssh, s->pwpkt_type,
4679 PKT_INT, len, PKT_DATA, ss, len,
4683 * The server is believed unable to cope with
4684 * any of our password camouflage methods.
4687 len = strlen(s->cur_prompt->prompts[0]->result);
4688 logevent("Sending unpadded password");
4689 send_packet(ssh, s->pwpkt_type,
4691 PKT_DATA, s->cur_prompt->prompts[0]->result, len,
4695 send_packet(ssh, s->pwpkt_type,
4696 PKT_STR, s->cur_prompt->prompts[0]->result,
4699 logevent("Sent password");
4700 free_prompts(s->cur_prompt);
4702 if (pktin->type == SSH1_SMSG_FAILURE) {
4703 if (flags & FLAG_VERBOSE)
4704 c_write_str(ssh, "Access denied\r\n");
4705 logevent("Authentication refused");
4706 } else if (pktin->type != SSH1_SMSG_SUCCESS) {
4707 bombout(("Strange packet received, type %d", pktin->type));
4713 if (s->publickey_blob) {
4714 sfree(s->publickey_blob);
4715 sfree(s->publickey_comment);
4718 logevent("Authentication successful");
4723 static void ssh_channel_try_eof(struct ssh_channel *c)
4726 assert(c->pending_eof); /* precondition for calling us */
4728 return; /* can't close: not even opened yet */
4729 if (ssh->version == 2 && bufchain_size(&c->v.v2.outbuffer) > 0)
4730 return; /* can't send EOF: pending outgoing data */
4732 c->pending_eof = FALSE; /* we're about to send it */
4733 if (ssh->version == 1) {
4734 send_packet(ssh, SSH1_MSG_CHANNEL_CLOSE, PKT_INT, c->remoteid,
4736 c->closes |= CLOSES_SENT_EOF;
4738 struct Packet *pktout;
4739 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_EOF);
4740 ssh2_pkt_adduint32(pktout, c->remoteid);
4741 ssh2_pkt_send(ssh, pktout);
4742 c->closes |= CLOSES_SENT_EOF;
4743 ssh2_channel_check_close(c);
4747 Conf *sshfwd_get_conf(struct ssh_channel *c)
4753 void sshfwd_write_eof(struct ssh_channel *c)
4757 if (ssh->state == SSH_STATE_CLOSED)
4760 if (c->closes & CLOSES_SENT_EOF)
4763 c->pending_eof = TRUE;
4764 ssh_channel_try_eof(c);
4767 void sshfwd_unclean_close(struct ssh_channel *c, const char *err)
4771 if (ssh->state == SSH_STATE_CLOSED)
4776 x11_close(c->u.x11.xconn);
4777 logeventf(ssh, "Forwarded X11 connection terminated due to local "
4781 case CHAN_SOCKDATA_DORMANT:
4782 pfd_close(c->u.pfd.pf);
4783 logeventf(ssh, "Forwarded port closed due to local error: %s", err);
4786 c->type = CHAN_ZOMBIE;
4787 c->pending_eof = FALSE; /* this will confuse a zombie channel */
4789 ssh2_channel_check_close(c);
4792 int sshfwd_write(struct ssh_channel *c, char *buf, int len)
4796 if (ssh->state == SSH_STATE_CLOSED)
4799 if (ssh->version == 1) {
4800 send_packet(ssh, SSH1_MSG_CHANNEL_DATA,
4801 PKT_INT, c->remoteid,
4802 PKT_INT, len, PKT_DATA, buf, len,
4805 * In SSH-1 we can return 0 here - implying that forwarded
4806 * connections are never individually throttled - because
4807 * the only circumstance that can cause throttling will be
4808 * the whole SSH connection backing up, in which case
4809 * _everything_ will be throttled as a whole.
4813 ssh2_add_channel_data(c, buf, len);
4814 return ssh2_try_send(c);
4818 void sshfwd_unthrottle(struct ssh_channel *c, int bufsize)
4823 if (ssh->state == SSH_STATE_CLOSED)
4826 if (ssh->version == 1) {
4827 buflimit = SSH1_BUFFER_LIMIT;
4829 buflimit = c->v.v2.locmaxwin;
4830 ssh2_set_window(c, bufsize < buflimit ? buflimit - bufsize : 0);
4832 if (c->throttling_conn && bufsize <= buflimit) {
4833 c->throttling_conn = 0;
4834 ssh_throttle_conn(ssh, -1);
4838 static void ssh_queueing_handler(Ssh ssh, struct Packet *pktin)
4840 struct queued_handler *qh = ssh->qhead;
4844 assert(pktin->type == qh->msg1 || pktin->type == qh->msg2);
4847 assert(ssh->packet_dispatch[qh->msg1] == ssh_queueing_handler);
4848 ssh->packet_dispatch[qh->msg1] = ssh->q_saved_handler1;
4851 assert(ssh->packet_dispatch[qh->msg2] == ssh_queueing_handler);
4852 ssh->packet_dispatch[qh->msg2] = ssh->q_saved_handler2;
4856 ssh->qhead = qh->next;
4858 if (ssh->qhead->msg1 > 0) {
4859 ssh->q_saved_handler1 = ssh->packet_dispatch[ssh->qhead->msg1];
4860 ssh->packet_dispatch[ssh->qhead->msg1] = ssh_queueing_handler;
4862 if (ssh->qhead->msg2 > 0) {
4863 ssh->q_saved_handler2 = ssh->packet_dispatch[ssh->qhead->msg2];
4864 ssh->packet_dispatch[ssh->qhead->msg2] = ssh_queueing_handler;
4867 ssh->qhead = ssh->qtail = NULL;
4870 qh->handler(ssh, pktin, qh->ctx);
4875 static void ssh_queue_handler(Ssh ssh, int msg1, int msg2,
4876 chandler_fn_t handler, void *ctx)
4878 struct queued_handler *qh;
4880 qh = snew(struct queued_handler);
4883 qh->handler = handler;
4887 if (ssh->qtail == NULL) {
4891 ssh->q_saved_handler1 = ssh->packet_dispatch[ssh->qhead->msg1];
4892 ssh->packet_dispatch[qh->msg1] = ssh_queueing_handler;
4895 ssh->q_saved_handler2 = ssh->packet_dispatch[ssh->qhead->msg2];
4896 ssh->packet_dispatch[qh->msg2] = ssh_queueing_handler;
4899 ssh->qtail->next = qh;
4904 static void ssh_rportfwd_succfail(Ssh ssh, struct Packet *pktin, void *ctx)
4906 struct ssh_rportfwd *rpf, *pf = (struct ssh_rportfwd *)ctx;
4908 if (pktin->type == (ssh->version == 1 ? SSH1_SMSG_SUCCESS :
4909 SSH2_MSG_REQUEST_SUCCESS)) {
4910 logeventf(ssh, "Remote port forwarding from %s enabled",
4913 logeventf(ssh, "Remote port forwarding from %s refused",
4916 rpf = del234(ssh->rportfwds, pf);
4918 pf->pfrec->remote = NULL;
4923 int ssh_alloc_sharing_rportfwd(Ssh ssh, const char *shost, int sport,
4926 struct ssh_rportfwd *pf = snew(struct ssh_rportfwd);
4929 pf->share_ctx = share_ctx;
4930 pf->shost = dupstr(shost);
4932 pf->sportdesc = NULL;
4933 if (!ssh->rportfwds) {
4934 assert(ssh->version == 2);
4935 ssh->rportfwds = newtree234(ssh_rportcmp_ssh2);
4937 if (add234(ssh->rportfwds, pf) != pf) {
4945 static void ssh_sharing_global_request_response(Ssh ssh, struct Packet *pktin,
4948 share_got_pkt_from_server(ctx, pktin->type,
4949 pktin->body, pktin->length);
4952 void ssh_sharing_queue_global_request(Ssh ssh, void *share_ctx)
4954 ssh_queue_handler(ssh, SSH2_MSG_REQUEST_SUCCESS, SSH2_MSG_REQUEST_FAILURE,
4955 ssh_sharing_global_request_response, share_ctx);
4958 static void ssh_setup_portfwd(Ssh ssh, Conf *conf)
4960 struct ssh_portfwd *epf;
4964 if (!ssh->portfwds) {
4965 ssh->portfwds = newtree234(ssh_portcmp);
4968 * Go through the existing port forwardings and tag them
4969 * with status==DESTROY. Any that we want to keep will be
4970 * re-enabled (status==KEEP) as we go through the
4971 * configuration and find out which bits are the same as
4974 struct ssh_portfwd *epf;
4976 for (i = 0; (epf = index234(ssh->portfwds, i)) != NULL; i++)
4977 epf->status = DESTROY;
4980 for (val = conf_get_str_strs(conf, CONF_portfwd, NULL, &key);
4982 val = conf_get_str_strs(conf, CONF_portfwd, key, &key)) {
4983 char *kp, *kp2, *vp, *vp2;
4984 char address_family, type;
4985 int sport,dport,sserv,dserv;
4986 char *sports, *dports, *saddr, *host;
4990 address_family = 'A';
4992 if (*kp == 'A' || *kp == '4' || *kp == '6')
4993 address_family = *kp++;
4994 if (*kp == 'L' || *kp == 'R')
4997 if ((kp2 = host_strchr(kp, ':')) != NULL) {
4999 * There's a colon in the middle of the source port
5000 * string, which means that the part before it is
5001 * actually a source address.
5003 char *saddr_tmp = dupprintf("%.*s", (int)(kp2 - kp), kp);
5004 saddr = host_strduptrim(saddr_tmp);
5011 sport = atoi(sports);
5015 sport = net_service_lookup(sports);
5017 logeventf(ssh, "Service lookup failed for source"
5018 " port \"%s\"", sports);
5022 if (type == 'L' && !strcmp(val, "D")) {
5023 /* dynamic forwarding */
5030 /* ordinary forwarding */
5032 vp2 = vp + host_strcspn(vp, ":");
5033 host = dupprintf("%.*s", (int)(vp2 - vp), vp);
5037 dport = atoi(dports);
5041 dport = net_service_lookup(dports);
5043 logeventf(ssh, "Service lookup failed for destination"
5044 " port \"%s\"", dports);
5049 if (sport && dport) {
5050 /* Set up a description of the source port. */
5051 struct ssh_portfwd *pfrec, *epfrec;
5053 pfrec = snew(struct ssh_portfwd);
5055 pfrec->saddr = saddr;
5056 pfrec->sserv = sserv ? dupstr(sports) : NULL;
5057 pfrec->sport = sport;
5058 pfrec->daddr = host;
5059 pfrec->dserv = dserv ? dupstr(dports) : NULL;
5060 pfrec->dport = dport;
5061 pfrec->local = NULL;
5062 pfrec->remote = NULL;
5063 pfrec->addressfamily = (address_family == '4' ? ADDRTYPE_IPV4 :
5064 address_family == '6' ? ADDRTYPE_IPV6 :
5067 epfrec = add234(ssh->portfwds, pfrec);
5068 if (epfrec != pfrec) {
5069 if (epfrec->status == DESTROY) {
5071 * We already have a port forwarding up and running
5072 * with precisely these parameters. Hence, no need
5073 * to do anything; simply re-tag the existing one
5076 epfrec->status = KEEP;
5079 * Anything else indicates that there was a duplicate
5080 * in our input, which we'll silently ignore.
5082 free_portfwd(pfrec);
5084 pfrec->status = CREATE;
5093 * Now go through and destroy any port forwardings which were
5096 for (i = 0; (epf = index234(ssh->portfwds, i)) != NULL; i++)
5097 if (epf->status == DESTROY) {
5100 message = dupprintf("%s port forwarding from %s%s%d",
5101 epf->type == 'L' ? "local" :
5102 epf->type == 'R' ? "remote" : "dynamic",
5103 epf->saddr ? epf->saddr : "",
5104 epf->saddr ? ":" : "",
5107 if (epf->type != 'D') {
5108 char *msg2 = dupprintf("%s to %s:%d", message,
5109 epf->daddr, epf->dport);
5114 logeventf(ssh, "Cancelling %s", message);
5117 /* epf->remote or epf->local may be NULL if setting up a
5118 * forwarding failed. */
5120 struct ssh_rportfwd *rpf = epf->remote;
5121 struct Packet *pktout;
5124 * Cancel the port forwarding at the server
5127 if (ssh->version == 1) {
5129 * We cannot cancel listening ports on the
5130 * server side in SSH-1! There's no message
5131 * to support it. Instead, we simply remove
5132 * the rportfwd record from the local end
5133 * so that any connections the server tries
5134 * to make on it are rejected.
5137 pktout = ssh2_pkt_init(SSH2_MSG_GLOBAL_REQUEST);
5138 ssh2_pkt_addstring(pktout, "cancel-tcpip-forward");
5139 ssh2_pkt_addbool(pktout, 0);/* _don't_ want reply */
5141 ssh2_pkt_addstring(pktout, epf->saddr);
5142 } else if (conf_get_int(conf, CONF_rport_acceptall)) {
5143 /* XXX: rport_acceptall may not represent
5144 * what was used to open the original connection,
5145 * since it's reconfigurable. */
5146 ssh2_pkt_addstring(pktout, "");
5148 ssh2_pkt_addstring(pktout, "localhost");
5150 ssh2_pkt_adduint32(pktout, epf->sport);
5151 ssh2_pkt_send(ssh, pktout);
5154 del234(ssh->rportfwds, rpf);
5156 } else if (epf->local) {
5157 pfl_terminate(epf->local);
5160 delpos234(ssh->portfwds, i);
5162 i--; /* so we don't skip one in the list */
5166 * And finally, set up any new port forwardings (status==CREATE).
5168 for (i = 0; (epf = index234(ssh->portfwds, i)) != NULL; i++)
5169 if (epf->status == CREATE) {
5170 char *sportdesc, *dportdesc;
5171 sportdesc = dupprintf("%s%s%s%s%d%s",
5172 epf->saddr ? epf->saddr : "",
5173 epf->saddr ? ":" : "",
5174 epf->sserv ? epf->sserv : "",
5175 epf->sserv ? "(" : "",
5177 epf->sserv ? ")" : "");
5178 if (epf->type == 'D') {
5181 dportdesc = dupprintf("%s:%s%s%d%s",
5183 epf->dserv ? epf->dserv : "",
5184 epf->dserv ? "(" : "",
5186 epf->dserv ? ")" : "");
5189 if (epf->type == 'L') {
5190 char *err = pfl_listen(epf->daddr, epf->dport,
5191 epf->saddr, epf->sport,
5192 ssh, conf, &epf->local,
5193 epf->addressfamily);
5195 logeventf(ssh, "Local %sport %s forwarding to %s%s%s",
5196 epf->addressfamily == ADDRTYPE_IPV4 ? "IPv4 " :
5197 epf->addressfamily == ADDRTYPE_IPV6 ? "IPv6 " : "",
5198 sportdesc, dportdesc,
5199 err ? " failed: " : "", err ? err : "");
5202 } else if (epf->type == 'D') {
5203 char *err = pfl_listen(NULL, -1, epf->saddr, epf->sport,
5204 ssh, conf, &epf->local,
5205 epf->addressfamily);
5207 logeventf(ssh, "Local %sport %s SOCKS dynamic forwarding%s%s",
5208 epf->addressfamily == ADDRTYPE_IPV4 ? "IPv4 " :
5209 epf->addressfamily == ADDRTYPE_IPV6 ? "IPv6 " : "",
5211 err ? " failed: " : "", err ? err : "");
5216 struct ssh_rportfwd *pf;
5219 * Ensure the remote port forwardings tree exists.
5221 if (!ssh->rportfwds) {
5222 if (ssh->version == 1)
5223 ssh->rportfwds = newtree234(ssh_rportcmp_ssh1);
5225 ssh->rportfwds = newtree234(ssh_rportcmp_ssh2);
5228 pf = snew(struct ssh_rportfwd);
5229 pf->share_ctx = NULL;
5230 pf->dhost = dupstr(epf->daddr);
5231 pf->dport = epf->dport;
5233 pf->shost = dupstr(epf->saddr);
5234 } else if (conf_get_int(conf, CONF_rport_acceptall)) {
5235 pf->shost = dupstr("");
5237 pf->shost = dupstr("localhost");
5239 pf->sport = epf->sport;
5240 if (add234(ssh->rportfwds, pf) != pf) {
5241 logeventf(ssh, "Duplicate remote port forwarding to %s:%d",
5242 epf->daddr, epf->dport);
5245 logeventf(ssh, "Requesting remote port %s"
5246 " forward to %s", sportdesc, dportdesc);
5248 pf->sportdesc = sportdesc;
5253 if (ssh->version == 1) {
5254 send_packet(ssh, SSH1_CMSG_PORT_FORWARD_REQUEST,
5255 PKT_INT, epf->sport,
5256 PKT_STR, epf->daddr,
5257 PKT_INT, epf->dport,
5259 ssh_queue_handler(ssh, SSH1_SMSG_SUCCESS,
5261 ssh_rportfwd_succfail, pf);
5263 struct Packet *pktout;
5264 pktout = ssh2_pkt_init(SSH2_MSG_GLOBAL_REQUEST);
5265 ssh2_pkt_addstring(pktout, "tcpip-forward");
5266 ssh2_pkt_addbool(pktout, 1);/* want reply */
5267 ssh2_pkt_addstring(pktout, pf->shost);
5268 ssh2_pkt_adduint32(pktout, pf->sport);
5269 ssh2_pkt_send(ssh, pktout);
5271 ssh_queue_handler(ssh, SSH2_MSG_REQUEST_SUCCESS,
5272 SSH2_MSG_REQUEST_FAILURE,
5273 ssh_rportfwd_succfail, pf);
5282 static void ssh1_smsg_stdout_stderr_data(Ssh ssh, struct Packet *pktin)
5285 int stringlen, bufsize;
5287 ssh_pkt_getstring(pktin, &string, &stringlen);
5288 if (string == NULL) {
5289 bombout(("Incoming terminal data packet was badly formed"));
5293 bufsize = from_backend(ssh->frontend, pktin->type == SSH1_SMSG_STDERR_DATA,
5295 if (!ssh->v1_stdout_throttling && bufsize > SSH1_BUFFER_LIMIT) {
5296 ssh->v1_stdout_throttling = 1;
5297 ssh_throttle_conn(ssh, +1);
5301 static void ssh1_smsg_x11_open(Ssh ssh, struct Packet *pktin)
5303 /* Remote side is trying to open a channel to talk to our
5304 * X-Server. Give them back a local channel number. */
5305 struct ssh_channel *c;
5306 int remoteid = ssh_pkt_getuint32(pktin);
5308 logevent("Received X11 connect request");
5309 /* Refuse if X11 forwarding is disabled. */
5310 if (!ssh->X11_fwd_enabled) {
5311 send_packet(ssh, SSH1_MSG_CHANNEL_OPEN_FAILURE,
5312 PKT_INT, remoteid, PKT_END);
5313 logevent("Rejected X11 connect request");
5315 c = snew(struct ssh_channel);
5318 c->u.x11.xconn = x11_init(ssh->x11authtree, c, NULL, -1);
5319 c->remoteid = remoteid;
5320 c->halfopen = FALSE;
5321 c->localid = alloc_channel_id(ssh);
5323 c->pending_eof = FALSE;
5324 c->throttling_conn = 0;
5325 c->type = CHAN_X11; /* identify channel type */
5326 add234(ssh->channels, c);
5327 send_packet(ssh, SSH1_MSG_CHANNEL_OPEN_CONFIRMATION,
5328 PKT_INT, c->remoteid, PKT_INT,
5329 c->localid, PKT_END);
5330 logevent("Opened X11 forward channel");
5334 static void ssh1_smsg_agent_open(Ssh ssh, struct Packet *pktin)
5336 /* Remote side is trying to open a channel to talk to our
5337 * agent. Give them back a local channel number. */
5338 struct ssh_channel *c;
5339 int remoteid = ssh_pkt_getuint32(pktin);
5341 /* Refuse if agent forwarding is disabled. */
5342 if (!ssh->agentfwd_enabled) {
5343 send_packet(ssh, SSH1_MSG_CHANNEL_OPEN_FAILURE,
5344 PKT_INT, remoteid, PKT_END);
5346 c = snew(struct ssh_channel);
5348 c->remoteid = remoteid;
5349 c->halfopen = FALSE;
5350 c->localid = alloc_channel_id(ssh);
5352 c->pending_eof = FALSE;
5353 c->throttling_conn = 0;
5354 c->type = CHAN_AGENT; /* identify channel type */
5355 c->u.a.lensofar = 0;
5356 c->u.a.message = NULL;
5357 c->u.a.outstanding_requests = 0;
5358 add234(ssh->channels, c);
5359 send_packet(ssh, SSH1_MSG_CHANNEL_OPEN_CONFIRMATION,
5360 PKT_INT, c->remoteid, PKT_INT, c->localid,
5365 static void ssh1_msg_port_open(Ssh ssh, struct Packet *pktin)
5367 /* Remote side is trying to open a channel to talk to a
5368 * forwarded port. Give them back a local channel number. */
5369 struct ssh_rportfwd pf, *pfp;
5375 remoteid = ssh_pkt_getuint32(pktin);
5376 ssh_pkt_getstring(pktin, &host, &hostsize);
5377 port = ssh_pkt_getuint32(pktin);
5379 pf.dhost = dupprintf("%.*s", hostsize, host);
5381 pfp = find234(ssh->rportfwds, &pf, NULL);
5384 logeventf(ssh, "Rejected remote port open request for %s:%d",
5386 send_packet(ssh, SSH1_MSG_CHANNEL_OPEN_FAILURE,
5387 PKT_INT, remoteid, PKT_END);
5389 struct ssh_channel *c = snew(struct ssh_channel);
5392 logeventf(ssh, "Received remote port open request for %s:%d",
5394 err = pfd_connect(&c->u.pfd.pf, pf.dhost, port,
5395 c, ssh->conf, pfp->pfrec->addressfamily);
5397 logeventf(ssh, "Port open failed: %s", err);
5400 send_packet(ssh, SSH1_MSG_CHANNEL_OPEN_FAILURE,
5401 PKT_INT, remoteid, PKT_END);
5403 c->remoteid = remoteid;
5404 c->halfopen = FALSE;
5405 c->localid = alloc_channel_id(ssh);
5407 c->pending_eof = FALSE;
5408 c->throttling_conn = 0;
5409 c->type = CHAN_SOCKDATA; /* identify channel type */
5410 add234(ssh->channels, c);
5411 send_packet(ssh, SSH1_MSG_CHANNEL_OPEN_CONFIRMATION,
5412 PKT_INT, c->remoteid, PKT_INT,
5413 c->localid, PKT_END);
5414 logevent("Forwarded port opened successfully");
5421 static void ssh1_msg_channel_open_confirmation(Ssh ssh, struct Packet *pktin)
5423 unsigned int remoteid = ssh_pkt_getuint32(pktin);
5424 unsigned int localid = ssh_pkt_getuint32(pktin);
5425 struct ssh_channel *c;
5427 c = find234(ssh->channels, &remoteid, ssh_channelfind);
5428 if (c && c->type == CHAN_SOCKDATA_DORMANT) {
5429 c->remoteid = localid;
5430 c->halfopen = FALSE;
5431 c->type = CHAN_SOCKDATA;
5432 c->throttling_conn = 0;
5433 pfd_confirm(c->u.pfd.pf);
5436 if (c && c->pending_eof) {
5438 * We have a pending close on this channel,
5439 * which we decided on before the server acked
5440 * the channel open. So now we know the
5441 * remoteid, we can close it again.
5443 ssh_channel_try_eof(c);
5447 static void ssh1_msg_channel_open_failure(Ssh ssh, struct Packet *pktin)
5449 unsigned int remoteid = ssh_pkt_getuint32(pktin);
5450 struct ssh_channel *c;
5452 c = find234(ssh->channels, &remoteid, ssh_channelfind);
5453 if (c && c->type == CHAN_SOCKDATA_DORMANT) {
5454 logevent("Forwarded connection refused by server");
5455 pfd_close(c->u.pfd.pf);
5456 del234(ssh->channels, c);
5461 static void ssh1_msg_channel_close(Ssh ssh, struct Packet *pktin)
5463 /* Remote side closes a channel. */
5464 unsigned i = ssh_pkt_getuint32(pktin);
5465 struct ssh_channel *c;
5466 c = find234(ssh->channels, &i, ssh_channelfind);
5467 if (c && !c->halfopen) {
5469 if (pktin->type == SSH1_MSG_CHANNEL_CLOSE &&
5470 !(c->closes & CLOSES_RCVD_EOF)) {
5472 * Received CHANNEL_CLOSE, which we translate into
5475 int send_close = FALSE;
5477 c->closes |= CLOSES_RCVD_EOF;
5482 x11_send_eof(c->u.x11.xconn);
5488 pfd_send_eof(c->u.pfd.pf);
5497 if (send_close && !(c->closes & CLOSES_SENT_EOF)) {
5498 send_packet(ssh, SSH1_MSG_CHANNEL_CLOSE, PKT_INT, c->remoteid,
5500 c->closes |= CLOSES_SENT_EOF;
5504 if (pktin->type == SSH1_MSG_CHANNEL_CLOSE_CONFIRMATION &&
5505 !(c->closes & CLOSES_RCVD_CLOSE)) {
5507 if (!(c->closes & CLOSES_SENT_EOF)) {
5508 bombout(("Received CHANNEL_CLOSE_CONFIRMATION for channel %d"
5509 " for which we never sent CHANNEL_CLOSE\n", i));
5512 c->closes |= CLOSES_RCVD_CLOSE;
5515 if (!((CLOSES_SENT_EOF | CLOSES_RCVD_EOF) & ~c->closes) &&
5516 !(c->closes & CLOSES_SENT_CLOSE)) {
5517 send_packet(ssh, SSH1_MSG_CHANNEL_CLOSE_CONFIRMATION,
5518 PKT_INT, c->remoteid, PKT_END);
5519 c->closes |= CLOSES_SENT_CLOSE;
5522 if (!((CLOSES_SENT_CLOSE | CLOSES_RCVD_CLOSE) & ~c->closes))
5523 ssh_channel_destroy(c);
5525 bombout(("Received CHANNEL_CLOSE%s for %s channel %d\n",
5526 pktin->type == SSH1_MSG_CHANNEL_CLOSE ? "" :
5527 "_CONFIRMATION", c ? "half-open" : "nonexistent",
5532 static void ssh1_msg_channel_data(Ssh ssh, struct Packet *pktin)
5534 /* Data sent down one of our channels. */
5535 int i = ssh_pkt_getuint32(pktin);
5538 struct ssh_channel *c;
5540 ssh_pkt_getstring(pktin, &p, &len);
5542 c = find234(ssh->channels, &i, ssh_channelfind);
5547 bufsize = x11_send(c->u.x11.xconn, p, len);
5550 bufsize = pfd_send(c->u.pfd.pf, p, len);
5553 /* Data for an agent message. Buffer it. */
5555 if (c->u.a.lensofar < 4) {
5556 unsigned int l = min(4 - c->u.a.lensofar, (unsigned)len);
5557 memcpy(c->u.a.msglen + c->u.a.lensofar, p,
5561 c->u.a.lensofar += l;
5563 if (c->u.a.lensofar == 4) {
5565 4 + GET_32BIT(c->u.a.msglen);
5566 c->u.a.message = snewn(c->u.a.totallen,
5568 memcpy(c->u.a.message, c->u.a.msglen, 4);
5570 if (c->u.a.lensofar >= 4 && len > 0) {
5572 min(c->u.a.totallen - c->u.a.lensofar,
5574 memcpy(c->u.a.message + c->u.a.lensofar, p,
5578 c->u.a.lensofar += l;
5580 if (c->u.a.lensofar == c->u.a.totallen) {
5583 c->u.a.outstanding_requests++;
5584 if (agent_query(c->u.a.message,
5587 ssh_agentf_callback, c))
5588 ssh_agentf_callback(c, reply, replylen);
5589 sfree(c->u.a.message);
5590 c->u.a.lensofar = 0;
5593 bufsize = 0; /* agent channels never back up */
5596 if (!c->throttling_conn && bufsize > SSH1_BUFFER_LIMIT) {
5597 c->throttling_conn = 1;
5598 ssh_throttle_conn(ssh, +1);
5603 static void ssh1_smsg_exit_status(Ssh ssh, struct Packet *pktin)
5605 ssh->exitcode = ssh_pkt_getuint32(pktin);
5606 logeventf(ssh, "Server sent command exit status %d", ssh->exitcode);
5607 send_packet(ssh, SSH1_CMSG_EXIT_CONFIRMATION, PKT_END);
5609 * In case `helpful' firewalls or proxies tack
5610 * extra human-readable text on the end of the
5611 * session which we might mistake for another
5612 * encrypted packet, we close the session once
5613 * we've sent EXIT_CONFIRMATION.
5615 ssh_disconnect(ssh, NULL, NULL, 0, TRUE);
5618 /* Helper function to deal with sending tty modes for REQUEST_PTY */
5619 static void ssh1_send_ttymode(void *data, char *mode, char *val)
5621 struct Packet *pktout = (struct Packet *)data;
5623 unsigned int arg = 0;
5624 while (strcmp(mode, ssh_ttymodes[i].mode) != 0) i++;
5625 if (i == lenof(ssh_ttymodes)) return;
5626 switch (ssh_ttymodes[i].type) {
5628 arg = ssh_tty_parse_specchar(val);
5631 arg = ssh_tty_parse_boolean(val);
5634 ssh2_pkt_addbyte(pktout, ssh_ttymodes[i].opcode);
5635 ssh2_pkt_addbyte(pktout, arg);
5638 int ssh_agent_forwarding_permitted(Ssh ssh)
5640 return conf_get_int(ssh->conf, CONF_agentfwd) && agent_exists();
5643 static void do_ssh1_connection(Ssh ssh, unsigned char *in, int inlen,
5644 struct Packet *pktin)
5646 crBegin(ssh->do_ssh1_connection_crstate);
5648 ssh->packet_dispatch[SSH1_SMSG_STDOUT_DATA] =
5649 ssh->packet_dispatch[SSH1_SMSG_STDERR_DATA] =
5650 ssh1_smsg_stdout_stderr_data;
5652 ssh->packet_dispatch[SSH1_MSG_CHANNEL_OPEN_CONFIRMATION] =
5653 ssh1_msg_channel_open_confirmation;
5654 ssh->packet_dispatch[SSH1_MSG_CHANNEL_OPEN_FAILURE] =
5655 ssh1_msg_channel_open_failure;
5656 ssh->packet_dispatch[SSH1_MSG_CHANNEL_CLOSE] =
5657 ssh->packet_dispatch[SSH1_MSG_CHANNEL_CLOSE_CONFIRMATION] =
5658 ssh1_msg_channel_close;
5659 ssh->packet_dispatch[SSH1_MSG_CHANNEL_DATA] = ssh1_msg_channel_data;
5660 ssh->packet_dispatch[SSH1_SMSG_EXIT_STATUS] = ssh1_smsg_exit_status;
5662 if (ssh_agent_forwarding_permitted(ssh)) {
5663 logevent("Requesting agent forwarding");
5664 send_packet(ssh, SSH1_CMSG_AGENT_REQUEST_FORWARDING, PKT_END);
5668 if (pktin->type != SSH1_SMSG_SUCCESS
5669 && pktin->type != SSH1_SMSG_FAILURE) {
5670 bombout(("Protocol confusion"));
5672 } else if (pktin->type == SSH1_SMSG_FAILURE) {
5673 logevent("Agent forwarding refused");
5675 logevent("Agent forwarding enabled");
5676 ssh->agentfwd_enabled = TRUE;
5677 ssh->packet_dispatch[SSH1_SMSG_AGENT_OPEN] = ssh1_smsg_agent_open;
5681 if (conf_get_int(ssh->conf, CONF_x11_forward)) {
5683 x11_setup_display(conf_get_str(ssh->conf, CONF_x11_display),
5685 if (!ssh->x11disp) {
5686 /* FIXME: return an error message from x11_setup_display */
5687 logevent("X11 forwarding not enabled: unable to"
5688 " initialise X display");
5690 ssh->x11auth = x11_invent_fake_auth
5691 (ssh->x11authtree, conf_get_int(ssh->conf, CONF_x11_auth));
5692 ssh->x11auth->disp = ssh->x11disp;
5694 logevent("Requesting X11 forwarding");
5695 if (ssh->v1_local_protoflags & SSH1_PROTOFLAG_SCREEN_NUMBER) {
5696 send_packet(ssh, SSH1_CMSG_X11_REQUEST_FORWARDING,
5697 PKT_STR, ssh->x11auth->protoname,
5698 PKT_STR, ssh->x11auth->datastring,
5699 PKT_INT, ssh->x11disp->screennum,
5702 send_packet(ssh, SSH1_CMSG_X11_REQUEST_FORWARDING,
5703 PKT_STR, ssh->x11auth->protoname,
5704 PKT_STR, ssh->x11auth->datastring,
5710 if (pktin->type != SSH1_SMSG_SUCCESS
5711 && pktin->type != SSH1_SMSG_FAILURE) {
5712 bombout(("Protocol confusion"));
5714 } else if (pktin->type == SSH1_SMSG_FAILURE) {
5715 logevent("X11 forwarding refused");
5717 logevent("X11 forwarding enabled");
5718 ssh->X11_fwd_enabled = TRUE;
5719 ssh->packet_dispatch[SSH1_SMSG_X11_OPEN] = ssh1_smsg_x11_open;
5724 ssh_setup_portfwd(ssh, ssh->conf);
5725 ssh->packet_dispatch[SSH1_MSG_PORT_OPEN] = ssh1_msg_port_open;
5727 if (!conf_get_int(ssh->conf, CONF_nopty)) {
5729 /* Unpick the terminal-speed string. */
5730 /* XXX perhaps we should allow no speeds to be sent. */
5731 ssh->ospeed = 38400; ssh->ispeed = 38400; /* last-resort defaults */
5732 sscanf(conf_get_str(ssh->conf, CONF_termspeed), "%d,%d", &ssh->ospeed, &ssh->ispeed);
5733 /* Send the pty request. */
5734 pkt = ssh1_pkt_init(SSH1_CMSG_REQUEST_PTY);
5735 ssh_pkt_addstring(pkt, conf_get_str(ssh->conf, CONF_termtype));
5736 ssh_pkt_adduint32(pkt, ssh->term_height);
5737 ssh_pkt_adduint32(pkt, ssh->term_width);
5738 ssh_pkt_adduint32(pkt, 0); /* width in pixels */
5739 ssh_pkt_adduint32(pkt, 0); /* height in pixels */
5740 parse_ttymodes(ssh, ssh1_send_ttymode, (void *)pkt);
5741 ssh_pkt_addbyte(pkt, SSH1_TTY_OP_ISPEED);
5742 ssh_pkt_adduint32(pkt, ssh->ispeed);
5743 ssh_pkt_addbyte(pkt, SSH1_TTY_OP_OSPEED);
5744 ssh_pkt_adduint32(pkt, ssh->ospeed);
5745 ssh_pkt_addbyte(pkt, SSH_TTY_OP_END);
5747 ssh->state = SSH_STATE_INTERMED;
5751 if (pktin->type != SSH1_SMSG_SUCCESS
5752 && pktin->type != SSH1_SMSG_FAILURE) {
5753 bombout(("Protocol confusion"));
5755 } else if (pktin->type == SSH1_SMSG_FAILURE) {
5756 c_write_str(ssh, "Server refused to allocate pty\r\n");
5757 ssh->editing = ssh->echoing = 1;
5759 logeventf(ssh, "Allocated pty (ospeed %dbps, ispeed %dbps)",
5760 ssh->ospeed, ssh->ispeed);
5761 ssh->got_pty = TRUE;
5764 ssh->editing = ssh->echoing = 1;
5767 if (conf_get_int(ssh->conf, CONF_compression)) {
5768 send_packet(ssh, SSH1_CMSG_REQUEST_COMPRESSION, PKT_INT, 6, PKT_END);
5772 if (pktin->type != SSH1_SMSG_SUCCESS
5773 && pktin->type != SSH1_SMSG_FAILURE) {
5774 bombout(("Protocol confusion"));
5776 } else if (pktin->type == SSH1_SMSG_FAILURE) {
5777 c_write_str(ssh, "Server refused to compress\r\n");
5779 logevent("Started compression");
5780 ssh->v1_compressing = TRUE;
5781 ssh->cs_comp_ctx = zlib_compress_init();
5782 logevent("Initialised zlib (RFC1950) compression");
5783 ssh->sc_comp_ctx = zlib_decompress_init();
5784 logevent("Initialised zlib (RFC1950) decompression");
5788 * Start the shell or command.
5790 * Special case: if the first-choice command is an SSH-2
5791 * subsystem (hence not usable here) and the second choice
5792 * exists, we fall straight back to that.
5795 char *cmd = conf_get_str(ssh->conf, CONF_remote_cmd);
5797 if (conf_get_int(ssh->conf, CONF_ssh_subsys) &&
5798 conf_get_str(ssh->conf, CONF_remote_cmd2)) {
5799 cmd = conf_get_str(ssh->conf, CONF_remote_cmd2);
5800 ssh->fallback_cmd = TRUE;
5803 send_packet(ssh, SSH1_CMSG_EXEC_CMD, PKT_STR, cmd, PKT_END);
5805 send_packet(ssh, SSH1_CMSG_EXEC_SHELL, PKT_END);
5806 logevent("Started session");
5809 ssh->state = SSH_STATE_SESSION;
5810 if (ssh->size_needed)
5811 ssh_size(ssh, ssh->term_width, ssh->term_height);
5812 if (ssh->eof_needed)
5813 ssh_special(ssh, TS_EOF);
5816 ldisc_send(ssh->ldisc, NULL, 0, 0);/* cause ldisc to notice changes */
5818 ssh->channels = newtree234(ssh_channelcmp);
5822 * By this point, most incoming packets are already being
5823 * handled by the dispatch table, and we need only pay
5824 * attention to the unusual ones.
5829 if (pktin->type == SSH1_SMSG_SUCCESS) {
5830 /* may be from EXEC_SHELL on some servers */
5831 } else if (pktin->type == SSH1_SMSG_FAILURE) {
5832 /* may be from EXEC_SHELL on some servers
5833 * if no pty is available or in other odd cases. Ignore */
5835 bombout(("Strange packet received: type %d", pktin->type));
5840 int len = min(inlen, 512);
5841 send_packet(ssh, SSH1_CMSG_STDIN_DATA,
5842 PKT_INT, len, PKT_DATA, in, len,
5854 * Handle the top-level SSH-2 protocol.
5856 static void ssh1_msg_debug(Ssh ssh, struct Packet *pktin)
5861 ssh_pkt_getstring(pktin, &msg, &msglen);
5862 logeventf(ssh, "Remote debug message: %.*s", msglen, msg);
5865 static void ssh1_msg_disconnect(Ssh ssh, struct Packet *pktin)
5867 /* log reason code in disconnect message */
5871 ssh_pkt_getstring(pktin, &msg, &msglen);
5872 bombout(("Server sent disconnect message:\n\"%.*s\"", msglen, msg));
5875 static void ssh_msg_ignore(Ssh ssh, struct Packet *pktin)
5877 /* Do nothing, because we're ignoring it! Duhh. */
5880 static void ssh1_protocol_setup(Ssh ssh)
5885 * Most messages are handled by the coroutines.
5887 for (i = 0; i < 256; i++)
5888 ssh->packet_dispatch[i] = NULL;
5891 * These special message types we install handlers for.
5893 ssh->packet_dispatch[SSH1_MSG_DISCONNECT] = ssh1_msg_disconnect;
5894 ssh->packet_dispatch[SSH1_MSG_IGNORE] = ssh_msg_ignore;
5895 ssh->packet_dispatch[SSH1_MSG_DEBUG] = ssh1_msg_debug;
5898 static void ssh1_protocol(Ssh ssh, void *vin, int inlen,
5899 struct Packet *pktin)
5901 unsigned char *in=(unsigned char*)vin;
5902 if (ssh->state == SSH_STATE_CLOSED)
5905 if (pktin && ssh->packet_dispatch[pktin->type]) {
5906 ssh->packet_dispatch[pktin->type](ssh, pktin);
5910 if (!ssh->protocol_initial_phase_done) {
5911 if (do_ssh1_login(ssh, in, inlen, pktin))
5912 ssh->protocol_initial_phase_done = TRUE;
5917 do_ssh1_connection(ssh, in, inlen, pktin);
5921 * Utility routine for decoding comma-separated strings in KEXINIT.
5923 static int in_commasep_string(char *needle, char *haystack, int haylen)
5926 if (!needle || !haystack) /* protect against null pointers */
5928 needlen = strlen(needle);
5931 * Is it at the start of the string?
5933 if (haylen >= needlen && /* haystack is long enough */
5934 !memcmp(needle, haystack, needlen) && /* initial match */
5935 (haylen == needlen || haystack[needlen] == ',')
5936 /* either , or EOS follows */
5940 * If not, search for the next comma and resume after that.
5941 * If no comma found, terminate.
5943 while (haylen > 0 && *haystack != ',')
5944 haylen--, haystack++;
5947 haylen--, haystack++; /* skip over comma itself */
5952 * Similar routine for checking whether we have the first string in a list.
5954 static int first_in_commasep_string(char *needle, char *haystack, int haylen)
5957 if (!needle || !haystack) /* protect against null pointers */
5959 needlen = strlen(needle);
5961 * Is it at the start of the string?
5963 if (haylen >= needlen && /* haystack is long enough */
5964 !memcmp(needle, haystack, needlen) && /* initial match */
5965 (haylen == needlen || haystack[needlen] == ',')
5966 /* either , or EOS follows */
5974 * SSH-2 key creation method.
5975 * (Currently assumes 2 lots of any hash are sufficient to generate
5976 * keys/IVs for any cipher/MAC. SSH2_MKKEY_ITERS documents this assumption.)
5978 #define SSH2_MKKEY_ITERS (2)
5979 static void ssh2_mkkey(Ssh ssh, Bignum K, unsigned char *H, char chr,
5980 unsigned char *keyspace)
5982 const struct ssh_hash *h = ssh->kex->hash;
5984 /* First hlen bytes. */
5986 if (!(ssh->remote_bugs & BUG_SSH2_DERIVEKEY))
5987 hash_mpint(h, s, K);
5988 h->bytes(s, H, h->hlen);
5989 h->bytes(s, &chr, 1);
5990 h->bytes(s, ssh->v2_session_id, ssh->v2_session_id_len);
5991 h->final(s, keyspace);
5992 /* Next hlen bytes. */
5994 if (!(ssh->remote_bugs & BUG_SSH2_DERIVEKEY))
5995 hash_mpint(h, s, K);
5996 h->bytes(s, H, h->hlen);
5997 h->bytes(s, keyspace, h->hlen);
5998 h->final(s, keyspace + h->hlen);
6002 * Handle the SSH-2 transport layer.
6004 static void do_ssh2_transport(Ssh ssh, void *vin, int inlen,
6005 struct Packet *pktin)
6007 unsigned char *in = (unsigned char *)vin;
6008 struct do_ssh2_transport_state {
6010 int nbits, pbits, warn_kex, warn_cscipher, warn_sccipher;
6011 Bignum p, g, e, f, K;
6014 int kex_init_value, kex_reply_value;
6015 const struct ssh_mac **maclist;
6017 const struct ssh2_cipher *cscipher_tobe;
6018 const struct ssh2_cipher *sccipher_tobe;
6019 const struct ssh_mac *csmac_tobe;
6020 const struct ssh_mac *scmac_tobe;
6021 const struct ssh_compress *cscomp_tobe;
6022 const struct ssh_compress *sccomp_tobe;
6023 char *hostkeydata, *sigdata, *rsakeydata, *keystr, *fingerprint;
6024 int hostkeylen, siglen, rsakeylen;
6025 void *hkey; /* actual host key */
6026 void *rsakey; /* for RSA kex */
6027 unsigned char exchange_hash[SSH2_KEX_MAX_HASH_LEN];
6028 int n_preferred_kex;
6029 const struct ssh_kexes *preferred_kex[KEX_MAX];
6030 int n_preferred_ciphers;
6031 const struct ssh2_ciphers *preferred_ciphers[CIPHER_MAX];
6032 const struct ssh_compress *preferred_comp;
6033 int userauth_succeeded; /* for delayed compression */
6034 int pending_compression;
6035 int got_session_id, activated_authconn;
6036 struct Packet *pktout;
6041 crState(do_ssh2_transport_state);
6043 assert(!ssh->bare_connection);
6047 s->cscipher_tobe = s->sccipher_tobe = NULL;
6048 s->csmac_tobe = s->scmac_tobe = NULL;
6049 s->cscomp_tobe = s->sccomp_tobe = NULL;
6051 s->got_session_id = s->activated_authconn = FALSE;
6052 s->userauth_succeeded = FALSE;
6053 s->pending_compression = FALSE;
6056 * Be prepared to work around the buggy MAC problem.
6058 if (ssh->remote_bugs & BUG_SSH2_HMAC)
6059 s->maclist = buggymacs, s->nmacs = lenof(buggymacs);
6061 s->maclist = macs, s->nmacs = lenof(macs);
6064 ssh->pkt_kctx = SSH2_PKTCTX_NOKEX;
6066 int i, j, k, commalist_started;
6069 * Set up the preferred key exchange. (NULL => warn below here)
6071 s->n_preferred_kex = 0;
6072 for (i = 0; i < KEX_MAX; i++) {
6073 switch (conf_get_int_int(ssh->conf, CONF_ssh_kexlist, i)) {
6075 s->preferred_kex[s->n_preferred_kex++] =
6076 &ssh_diffiehellman_gex;
6079 s->preferred_kex[s->n_preferred_kex++] =
6080 &ssh_diffiehellman_group14;
6083 s->preferred_kex[s->n_preferred_kex++] =
6084 &ssh_diffiehellman_group1;
6087 s->preferred_kex[s->n_preferred_kex++] =
6091 /* Flag for later. Don't bother if it's the last in
6093 if (i < KEX_MAX - 1) {
6094 s->preferred_kex[s->n_preferred_kex++] = NULL;
6101 * Set up the preferred ciphers. (NULL => warn below here)
6103 s->n_preferred_ciphers = 0;
6104 for (i = 0; i < CIPHER_MAX; i++) {
6105 switch (conf_get_int_int(ssh->conf, CONF_ssh_cipherlist, i)) {
6106 case CIPHER_BLOWFISH:
6107 s->preferred_ciphers[s->n_preferred_ciphers++] = &ssh2_blowfish;
6110 if (conf_get_int(ssh->conf, CONF_ssh2_des_cbc)) {
6111 s->preferred_ciphers[s->n_preferred_ciphers++] = &ssh2_des;
6115 s->preferred_ciphers[s->n_preferred_ciphers++] = &ssh2_3des;
6118 s->preferred_ciphers[s->n_preferred_ciphers++] = &ssh2_aes;
6120 case CIPHER_ARCFOUR:
6121 s->preferred_ciphers[s->n_preferred_ciphers++] = &ssh2_arcfour;
6124 /* Flag for later. Don't bother if it's the last in
6126 if (i < CIPHER_MAX - 1) {
6127 s->preferred_ciphers[s->n_preferred_ciphers++] = NULL;
6134 * Set up preferred compression.
6136 if (conf_get_int(ssh->conf, CONF_compression))
6137 s->preferred_comp = &ssh_zlib;
6139 s->preferred_comp = &ssh_comp_none;
6142 * Enable queueing of outgoing auth- or connection-layer
6143 * packets while we are in the middle of a key exchange.
6145 ssh->queueing = TRUE;
6148 * Flag that KEX is in progress.
6150 ssh->kex_in_progress = TRUE;
6153 * Construct and send our key exchange packet.
6155 s->pktout = ssh2_pkt_init(SSH2_MSG_KEXINIT);
6156 for (i = 0; i < 16; i++)
6157 ssh2_pkt_addbyte(s->pktout, (unsigned char) random_byte());
6158 /* List key exchange algorithms. */
6159 ssh2_pkt_addstring_start(s->pktout);
6160 commalist_started = 0;
6161 for (i = 0; i < s->n_preferred_kex; i++) {
6162 const struct ssh_kexes *k = s->preferred_kex[i];
6163 if (!k) continue; /* warning flag */
6164 for (j = 0; j < k->nkexes; j++) {
6165 if (commalist_started)
6166 ssh2_pkt_addstring_str(s->pktout, ",");
6167 ssh2_pkt_addstring_str(s->pktout, k->list[j]->name);
6168 commalist_started = 1;
6171 /* List server host key algorithms. */
6172 if (!s->got_session_id) {
6174 * In the first key exchange, we list all the algorithms
6175 * we're prepared to cope with.
6177 ssh2_pkt_addstring_start(s->pktout);
6178 for (i = 0; i < lenof(hostkey_algs); i++) {
6179 ssh2_pkt_addstring_str(s->pktout, hostkey_algs[i]->name);
6180 if (i < lenof(hostkey_algs) - 1)
6181 ssh2_pkt_addstring_str(s->pktout, ",");
6185 * In subsequent key exchanges, we list only the kex
6186 * algorithm that was selected in the first key exchange,
6187 * so that we keep getting the same host key and hence
6188 * don't have to interrupt the user's session to ask for
6192 ssh2_pkt_addstring(s->pktout, ssh->hostkey->name);
6194 /* List encryption algorithms (client->server then server->client). */
6195 for (k = 0; k < 2; k++) {
6196 ssh2_pkt_addstring_start(s->pktout);
6197 commalist_started = 0;
6198 for (i = 0; i < s->n_preferred_ciphers; i++) {
6199 const struct ssh2_ciphers *c = s->preferred_ciphers[i];
6200 if (!c) continue; /* warning flag */
6201 for (j = 0; j < c->nciphers; j++) {
6202 if (commalist_started)
6203 ssh2_pkt_addstring_str(s->pktout, ",");
6204 ssh2_pkt_addstring_str(s->pktout, c->list[j]->name);
6205 commalist_started = 1;
6209 /* List MAC algorithms (client->server then server->client). */
6210 for (j = 0; j < 2; j++) {
6211 ssh2_pkt_addstring_start(s->pktout);
6212 for (i = 0; i < s->nmacs; i++) {
6213 ssh2_pkt_addstring_str(s->pktout, s->maclist[i]->name);
6214 if (i < s->nmacs - 1)
6215 ssh2_pkt_addstring_str(s->pktout, ",");
6218 /* List client->server compression algorithms,
6219 * then server->client compression algorithms. (We use the
6220 * same set twice.) */
6221 for (j = 0; j < 2; j++) {
6222 ssh2_pkt_addstring_start(s->pktout);
6223 assert(lenof(compressions) > 1);
6224 /* Prefer non-delayed versions */
6225 ssh2_pkt_addstring_str(s->pktout, s->preferred_comp->name);
6226 /* We don't even list delayed versions of algorithms until
6227 * they're allowed to be used, to avoid a race. See the end of
6229 if (s->userauth_succeeded && s->preferred_comp->delayed_name) {
6230 ssh2_pkt_addstring_str(s->pktout, ",");
6231 ssh2_pkt_addstring_str(s->pktout,
6232 s->preferred_comp->delayed_name);
6234 for (i = 0; i < lenof(compressions); i++) {
6235 const struct ssh_compress *c = compressions[i];
6236 if (c != s->preferred_comp) {
6237 ssh2_pkt_addstring_str(s->pktout, ",");
6238 ssh2_pkt_addstring_str(s->pktout, c->name);
6239 if (s->userauth_succeeded && c->delayed_name) {
6240 ssh2_pkt_addstring_str(s->pktout, ",");
6241 ssh2_pkt_addstring_str(s->pktout, c->delayed_name);
6246 /* List client->server languages. Empty list. */
6247 ssh2_pkt_addstring_start(s->pktout);
6248 /* List server->client languages. Empty list. */
6249 ssh2_pkt_addstring_start(s->pktout);
6250 /* First KEX packet does _not_ follow, because we're not that brave. */
6251 ssh2_pkt_addbool(s->pktout, FALSE);
6253 ssh2_pkt_adduint32(s->pktout, 0);
6256 s->our_kexinitlen = s->pktout->length - 5;
6257 s->our_kexinit = snewn(s->our_kexinitlen, unsigned char);
6258 memcpy(s->our_kexinit, s->pktout->data + 5, s->our_kexinitlen);
6260 ssh2_pkt_send_noqueue(ssh, s->pktout);
6263 crWaitUntilV(pktin);
6266 * Now examine the other side's KEXINIT to see what we're up
6270 char *str, *preferred;
6273 if (pktin->type != SSH2_MSG_KEXINIT) {
6274 bombout(("expected key exchange packet from server"));
6278 ssh->hostkey = NULL;
6279 s->cscipher_tobe = NULL;
6280 s->sccipher_tobe = NULL;
6281 s->csmac_tobe = NULL;
6282 s->scmac_tobe = NULL;
6283 s->cscomp_tobe = NULL;
6284 s->sccomp_tobe = NULL;
6285 s->warn_kex = s->warn_cscipher = s->warn_sccipher = FALSE;
6287 pktin->savedpos += 16; /* skip garbage cookie */
6288 ssh_pkt_getstring(pktin, &str, &len); /* key exchange algorithms */
6290 bombout(("KEXINIT packet was incomplete"));
6295 for (i = 0; i < s->n_preferred_kex; i++) {
6296 const struct ssh_kexes *k = s->preferred_kex[i];
6300 for (j = 0; j < k->nkexes; j++) {
6301 if (!preferred) preferred = k->list[j]->name;
6302 if (in_commasep_string(k->list[j]->name, str, len)) {
6303 ssh->kex = k->list[j];
6312 bombout(("Couldn't agree a key exchange algorithm"
6313 " (available: %.*s)", len, str));
6317 * Note that the server's guess is considered wrong if it doesn't match
6318 * the first algorithm in our list, even if it's still the algorithm
6321 s->guessok = first_in_commasep_string(preferred, str, len);
6322 ssh_pkt_getstring(pktin, &str, &len); /* host key algorithms */
6324 bombout(("KEXINIT packet was incomplete"));
6327 for (i = 0; i < lenof(hostkey_algs); i++) {
6328 if (in_commasep_string(hostkey_algs[i]->name, str, len)) {
6329 ssh->hostkey = hostkey_algs[i];
6333 if (!ssh->hostkey) {
6334 bombout(("Couldn't agree a host key algorithm"
6335 " (available: %.*s)", len, str));
6339 s->guessok = s->guessok &&
6340 first_in_commasep_string(hostkey_algs[0]->name, str, len);
6341 ssh_pkt_getstring(pktin, &str, &len); /* client->server cipher */
6343 bombout(("KEXINIT packet was incomplete"));
6346 for (i = 0; i < s->n_preferred_ciphers; i++) {
6347 const struct ssh2_ciphers *c = s->preferred_ciphers[i];
6349 s->warn_cscipher = TRUE;
6351 for (j = 0; j < c->nciphers; j++) {
6352 if (in_commasep_string(c->list[j]->name, str, len)) {
6353 s->cscipher_tobe = c->list[j];
6358 if (s->cscipher_tobe)
6361 if (!s->cscipher_tobe) {
6362 bombout(("Couldn't agree a client-to-server cipher"
6363 " (available: %.*s)", len, str));
6367 ssh_pkt_getstring(pktin, &str, &len); /* server->client cipher */
6369 bombout(("KEXINIT packet was incomplete"));
6372 for (i = 0; i < s->n_preferred_ciphers; i++) {
6373 const struct ssh2_ciphers *c = s->preferred_ciphers[i];
6375 s->warn_sccipher = TRUE;
6377 for (j = 0; j < c->nciphers; j++) {
6378 if (in_commasep_string(c->list[j]->name, str, len)) {
6379 s->sccipher_tobe = c->list[j];
6384 if (s->sccipher_tobe)
6387 if (!s->sccipher_tobe) {
6388 bombout(("Couldn't agree a server-to-client cipher"
6389 " (available: %.*s)", len, str));
6393 ssh_pkt_getstring(pktin, &str, &len); /* client->server mac */
6395 bombout(("KEXINIT packet was incomplete"));
6398 for (i = 0; i < s->nmacs; i++) {
6399 if (in_commasep_string(s->maclist[i]->name, str, len)) {
6400 s->csmac_tobe = s->maclist[i];
6404 ssh_pkt_getstring(pktin, &str, &len); /* server->client mac */
6406 bombout(("KEXINIT packet was incomplete"));
6409 for (i = 0; i < s->nmacs; i++) {
6410 if (in_commasep_string(s->maclist[i]->name, str, len)) {
6411 s->scmac_tobe = s->maclist[i];
6415 ssh_pkt_getstring(pktin, &str, &len); /* client->server compression */
6417 bombout(("KEXINIT packet was incomplete"));
6420 for (i = 0; i < lenof(compressions) + 1; i++) {
6421 const struct ssh_compress *c =
6422 i == 0 ? s->preferred_comp : compressions[i - 1];
6423 if (in_commasep_string(c->name, str, len)) {
6426 } else if (in_commasep_string(c->delayed_name, str, len)) {
6427 if (s->userauth_succeeded) {
6431 s->pending_compression = TRUE; /* try this later */
6435 ssh_pkt_getstring(pktin, &str, &len); /* server->client compression */
6437 bombout(("KEXINIT packet was incomplete"));
6440 for (i = 0; i < lenof(compressions) + 1; i++) {
6441 const struct ssh_compress *c =
6442 i == 0 ? s->preferred_comp : compressions[i - 1];
6443 if (in_commasep_string(c->name, str, len)) {
6446 } else if (in_commasep_string(c->delayed_name, str, len)) {
6447 if (s->userauth_succeeded) {
6451 s->pending_compression = TRUE; /* try this later */
6455 if (s->pending_compression) {
6456 logevent("Server supports delayed compression; "
6457 "will try this later");
6459 ssh_pkt_getstring(pktin, &str, &len); /* client->server language */
6460 ssh_pkt_getstring(pktin, &str, &len); /* server->client language */
6461 s->ignorepkt = ssh2_pkt_getbool(pktin) && !s->guessok;
6463 ssh->exhash = ssh->kex->hash->init();
6464 hash_string(ssh->kex->hash, ssh->exhash, ssh->v_c, strlen(ssh->v_c));
6465 hash_string(ssh->kex->hash, ssh->exhash, ssh->v_s, strlen(ssh->v_s));
6466 hash_string(ssh->kex->hash, ssh->exhash,
6467 s->our_kexinit, s->our_kexinitlen);
6468 sfree(s->our_kexinit);
6469 /* Include the type byte in the hash of server's KEXINIT */
6470 hash_string(ssh->kex->hash, ssh->exhash,
6471 pktin->body - 1, pktin->length + 1);
6474 ssh_set_frozen(ssh, 1);
6475 s->dlgret = askalg(ssh->frontend, "key-exchange algorithm",
6477 ssh_dialog_callback, ssh);
6478 if (s->dlgret < 0) {
6482 bombout(("Unexpected data from server while"
6483 " waiting for user response"));
6486 } while (pktin || inlen > 0);
6487 s->dlgret = ssh->user_response;
6489 ssh_set_frozen(ssh, 0);
6490 if (s->dlgret == 0) {
6491 ssh_disconnect(ssh, "User aborted at kex warning", NULL,
6497 if (s->warn_cscipher) {
6498 ssh_set_frozen(ssh, 1);
6499 s->dlgret = askalg(ssh->frontend,
6500 "client-to-server cipher",
6501 s->cscipher_tobe->name,
6502 ssh_dialog_callback, ssh);
6503 if (s->dlgret < 0) {
6507 bombout(("Unexpected data from server while"
6508 " waiting for user response"));
6511 } while (pktin || inlen > 0);
6512 s->dlgret = ssh->user_response;
6514 ssh_set_frozen(ssh, 0);
6515 if (s->dlgret == 0) {
6516 ssh_disconnect(ssh, "User aborted at cipher warning", NULL,
6522 if (s->warn_sccipher) {
6523 ssh_set_frozen(ssh, 1);
6524 s->dlgret = askalg(ssh->frontend,
6525 "server-to-client cipher",
6526 s->sccipher_tobe->name,
6527 ssh_dialog_callback, ssh);
6528 if (s->dlgret < 0) {
6532 bombout(("Unexpected data from server while"
6533 " waiting for user response"));
6536 } while (pktin || inlen > 0);
6537 s->dlgret = ssh->user_response;
6539 ssh_set_frozen(ssh, 0);
6540 if (s->dlgret == 0) {
6541 ssh_disconnect(ssh, "User aborted at cipher warning", NULL,
6547 if (s->ignorepkt) /* first_kex_packet_follows */
6548 crWaitUntilV(pktin); /* Ignore packet */
6551 if (ssh->kex->main_type == KEXTYPE_DH) {
6553 * Work out the number of bits of key we will need from the
6554 * key exchange. We start with the maximum key length of
6560 csbits = s->cscipher_tobe->keylen;
6561 scbits = s->sccipher_tobe->keylen;
6562 s->nbits = (csbits > scbits ? csbits : scbits);
6564 /* The keys only have hlen-bit entropy, since they're based on
6565 * a hash. So cap the key size at hlen bits. */
6566 if (s->nbits > ssh->kex->hash->hlen * 8)
6567 s->nbits = ssh->kex->hash->hlen * 8;
6570 * If we're doing Diffie-Hellman group exchange, start by
6571 * requesting a group.
6573 if (!ssh->kex->pdata) {
6574 logevent("Doing Diffie-Hellman group exchange");
6575 ssh->pkt_kctx = SSH2_PKTCTX_DHGEX;
6577 * Work out how big a DH group we will need to allow that
6580 s->pbits = 512 << ((s->nbits - 1) / 64);
6581 s->pktout = ssh2_pkt_init(SSH2_MSG_KEX_DH_GEX_REQUEST);
6582 ssh2_pkt_adduint32(s->pktout, s->pbits);
6583 ssh2_pkt_send_noqueue(ssh, s->pktout);
6585 crWaitUntilV(pktin);
6586 if (pktin->type != SSH2_MSG_KEX_DH_GEX_GROUP) {
6587 bombout(("expected key exchange group packet from server"));
6590 s->p = ssh2_pkt_getmp(pktin);
6591 s->g = ssh2_pkt_getmp(pktin);
6592 if (!s->p || !s->g) {
6593 bombout(("unable to read mp-ints from incoming group packet"));
6596 ssh->kex_ctx = dh_setup_gex(s->p, s->g);
6597 s->kex_init_value = SSH2_MSG_KEX_DH_GEX_INIT;
6598 s->kex_reply_value = SSH2_MSG_KEX_DH_GEX_REPLY;
6600 ssh->pkt_kctx = SSH2_PKTCTX_DHGROUP;
6601 ssh->kex_ctx = dh_setup_group(ssh->kex);
6602 s->kex_init_value = SSH2_MSG_KEXDH_INIT;
6603 s->kex_reply_value = SSH2_MSG_KEXDH_REPLY;
6604 logeventf(ssh, "Using Diffie-Hellman with standard group \"%s\"",
6605 ssh->kex->groupname);
6608 logeventf(ssh, "Doing Diffie-Hellman key exchange with hash %s",
6609 ssh->kex->hash->text_name);
6611 * Now generate and send e for Diffie-Hellman.
6613 set_busy_status(ssh->frontend, BUSY_CPU); /* this can take a while */
6614 s->e = dh_create_e(ssh->kex_ctx, s->nbits * 2);
6615 s->pktout = ssh2_pkt_init(s->kex_init_value);
6616 ssh2_pkt_addmp(s->pktout, s->e);
6617 ssh2_pkt_send_noqueue(ssh, s->pktout);
6619 set_busy_status(ssh->frontend, BUSY_WAITING); /* wait for server */
6620 crWaitUntilV(pktin);
6621 if (pktin->type != s->kex_reply_value) {
6622 bombout(("expected key exchange reply packet from server"));
6625 set_busy_status(ssh->frontend, BUSY_CPU); /* cogitate */
6626 ssh_pkt_getstring(pktin, &s->hostkeydata, &s->hostkeylen);
6627 s->hkey = ssh->hostkey->newkey(s->hostkeydata, s->hostkeylen);
6628 s->f = ssh2_pkt_getmp(pktin);
6630 bombout(("unable to parse key exchange reply packet"));
6633 ssh_pkt_getstring(pktin, &s->sigdata, &s->siglen);
6635 s->K = dh_find_K(ssh->kex_ctx, s->f);
6637 /* We assume everything from now on will be quick, and it might
6638 * involve user interaction. */
6639 set_busy_status(ssh->frontend, BUSY_NOT);
6641 hash_string(ssh->kex->hash, ssh->exhash, s->hostkeydata, s->hostkeylen);
6642 if (!ssh->kex->pdata) {
6643 hash_uint32(ssh->kex->hash, ssh->exhash, s->pbits);
6644 hash_mpint(ssh->kex->hash, ssh->exhash, s->p);
6645 hash_mpint(ssh->kex->hash, ssh->exhash, s->g);
6647 hash_mpint(ssh->kex->hash, ssh->exhash, s->e);
6648 hash_mpint(ssh->kex->hash, ssh->exhash, s->f);
6650 dh_cleanup(ssh->kex_ctx);
6652 if (!ssh->kex->pdata) {
6657 logeventf(ssh, "Doing RSA key exchange with hash %s",
6658 ssh->kex->hash->text_name);
6659 ssh->pkt_kctx = SSH2_PKTCTX_RSAKEX;
6661 * RSA key exchange. First expect a KEXRSA_PUBKEY packet
6664 crWaitUntilV(pktin);
6665 if (pktin->type != SSH2_MSG_KEXRSA_PUBKEY) {
6666 bombout(("expected RSA public key packet from server"));
6670 ssh_pkt_getstring(pktin, &s->hostkeydata, &s->hostkeylen);
6671 hash_string(ssh->kex->hash, ssh->exhash,
6672 s->hostkeydata, s->hostkeylen);
6673 s->hkey = ssh->hostkey->newkey(s->hostkeydata, s->hostkeylen);
6677 ssh_pkt_getstring(pktin, &keydata, &s->rsakeylen);
6678 s->rsakeydata = snewn(s->rsakeylen, char);
6679 memcpy(s->rsakeydata, keydata, s->rsakeylen);
6682 s->rsakey = ssh_rsakex_newkey(s->rsakeydata, s->rsakeylen);
6684 sfree(s->rsakeydata);
6685 bombout(("unable to parse RSA public key from server"));
6689 hash_string(ssh->kex->hash, ssh->exhash, s->rsakeydata, s->rsakeylen);
6692 * Next, set up a shared secret K, of precisely KLEN -
6693 * 2*HLEN - 49 bits, where KLEN is the bit length of the
6694 * RSA key modulus and HLEN is the bit length of the hash
6698 int klen = ssh_rsakex_klen(s->rsakey);
6699 int nbits = klen - (2*ssh->kex->hash->hlen*8 + 49);
6701 unsigned char *kstr1, *kstr2, *outstr;
6702 int kstr1len, kstr2len, outstrlen;
6704 s->K = bn_power_2(nbits - 1);
6706 for (i = 0; i < nbits; i++) {
6708 byte = random_byte();
6710 bignum_set_bit(s->K, i, (byte >> (i & 7)) & 1);
6714 * Encode this as an mpint.
6716 kstr1 = ssh2_mpint_fmt(s->K, &kstr1len);
6717 kstr2 = snewn(kstr2len = 4 + kstr1len, unsigned char);
6718 PUT_32BIT(kstr2, kstr1len);
6719 memcpy(kstr2 + 4, kstr1, kstr1len);
6722 * Encrypt it with the given RSA key.
6724 outstrlen = (klen + 7) / 8;
6725 outstr = snewn(outstrlen, unsigned char);
6726 ssh_rsakex_encrypt(ssh->kex->hash, kstr2, kstr2len,
6727 outstr, outstrlen, s->rsakey);
6730 * And send it off in a return packet.
6732 s->pktout = ssh2_pkt_init(SSH2_MSG_KEXRSA_SECRET);
6733 ssh2_pkt_addstring_start(s->pktout);
6734 ssh2_pkt_addstring_data(s->pktout, (char *)outstr, outstrlen);
6735 ssh2_pkt_send_noqueue(ssh, s->pktout);
6737 hash_string(ssh->kex->hash, ssh->exhash, outstr, outstrlen);
6744 ssh_rsakex_freekey(s->rsakey);
6746 crWaitUntilV(pktin);
6747 if (pktin->type != SSH2_MSG_KEXRSA_DONE) {
6748 sfree(s->rsakeydata);
6749 bombout(("expected signature packet from server"));
6753 ssh_pkt_getstring(pktin, &s->sigdata, &s->siglen);
6755 sfree(s->rsakeydata);
6758 hash_mpint(ssh->kex->hash, ssh->exhash, s->K);
6759 assert(ssh->kex->hash->hlen <= sizeof(s->exchange_hash));
6760 ssh->kex->hash->final(ssh->exhash, s->exchange_hash);
6762 ssh->kex_ctx = NULL;
6765 debug(("Exchange hash is:\n"));
6766 dmemdump(s->exchange_hash, ssh->kex->hash->hlen);
6770 !ssh->hostkey->verifysig(s->hkey, s->sigdata, s->siglen,
6771 (char *)s->exchange_hash,
6772 ssh->kex->hash->hlen)) {
6773 bombout(("Server's host key did not match the signature supplied"));
6777 s->keystr = ssh->hostkey->fmtkey(s->hkey);
6778 if (!s->got_session_id) {
6780 * Authenticate remote host: verify host key. (We've already
6781 * checked the signature of the exchange hash.)
6783 s->fingerprint = ssh->hostkey->fingerprint(s->hkey);
6784 logevent("Host key fingerprint is:");
6785 logevent(s->fingerprint);
6786 /* First check against manually configured host keys. */
6787 s->dlgret = verify_ssh_manual_host_key(ssh, s->fingerprint,
6788 ssh->hostkey, s->hkey);
6789 if (s->dlgret == 0) { /* did not match */
6790 bombout(("Host key did not appear in manually configured list"));
6792 } else if (s->dlgret < 0) { /* none configured; use standard handling */
6793 ssh_set_frozen(ssh, 1);
6794 s->dlgret = verify_ssh_host_key(ssh->frontend,
6795 ssh->savedhost, ssh->savedport,
6796 ssh->hostkey->keytype, s->keystr,
6798 ssh_dialog_callback, ssh);
6799 if (s->dlgret < 0) {
6803 bombout(("Unexpected data from server while waiting"
6804 " for user host key response"));
6807 } while (pktin || inlen > 0);
6808 s->dlgret = ssh->user_response;
6810 ssh_set_frozen(ssh, 0);
6811 if (s->dlgret == 0) {
6812 ssh_disconnect(ssh, "Aborted at host key verification", NULL,
6817 sfree(s->fingerprint);
6819 * Save this host key, to check against the one presented in
6820 * subsequent rekeys.
6822 ssh->hostkey_str = s->keystr;
6825 * In a rekey, we never present an interactive host key
6826 * verification request to the user. Instead, we simply
6827 * enforce that the key we're seeing this time is identical to
6828 * the one we saw before.
6830 if (strcmp(ssh->hostkey_str, s->keystr)) {
6831 bombout(("Host key was different in repeat key exchange"));
6836 ssh->hostkey->freekey(s->hkey);
6839 * The exchange hash from the very first key exchange is also
6840 * the session id, used in session key construction and
6843 if (!s->got_session_id) {
6844 assert(sizeof(s->exchange_hash) <= sizeof(ssh->v2_session_id));
6845 memcpy(ssh->v2_session_id, s->exchange_hash,
6846 sizeof(s->exchange_hash));
6847 ssh->v2_session_id_len = ssh->kex->hash->hlen;
6848 assert(ssh->v2_session_id_len <= sizeof(ssh->v2_session_id));
6849 s->got_session_id = TRUE;
6853 * Send SSH2_MSG_NEWKEYS.
6855 s->pktout = ssh2_pkt_init(SSH2_MSG_NEWKEYS);
6856 ssh2_pkt_send_noqueue(ssh, s->pktout);
6857 ssh->outgoing_data_size = 0; /* start counting from here */
6860 * We've sent client NEWKEYS, so create and initialise
6861 * client-to-server session keys.
6863 if (ssh->cs_cipher_ctx)
6864 ssh->cscipher->free_context(ssh->cs_cipher_ctx);
6865 ssh->cscipher = s->cscipher_tobe;
6866 ssh->cs_cipher_ctx = ssh->cscipher->make_context();
6868 if (ssh->cs_mac_ctx)
6869 ssh->csmac->free_context(ssh->cs_mac_ctx);
6870 ssh->csmac = s->csmac_tobe;
6871 ssh->cs_mac_ctx = ssh->csmac->make_context();
6873 if (ssh->cs_comp_ctx)
6874 ssh->cscomp->compress_cleanup(ssh->cs_comp_ctx);
6875 ssh->cscomp = s->cscomp_tobe;
6876 ssh->cs_comp_ctx = ssh->cscomp->compress_init();
6879 * Set IVs on client-to-server keys. Here we use the exchange
6880 * hash from the _first_ key exchange.
6883 unsigned char keyspace[SSH2_KEX_MAX_HASH_LEN * SSH2_MKKEY_ITERS];
6884 assert(sizeof(keyspace) >= ssh->kex->hash->hlen * SSH2_MKKEY_ITERS);
6885 ssh2_mkkey(ssh,s->K,s->exchange_hash,'C',keyspace);
6886 assert((ssh->cscipher->keylen+7) / 8 <=
6887 ssh->kex->hash->hlen * SSH2_MKKEY_ITERS);
6888 ssh->cscipher->setkey(ssh->cs_cipher_ctx, keyspace);
6889 ssh2_mkkey(ssh,s->K,s->exchange_hash,'A',keyspace);
6890 assert(ssh->cscipher->blksize <=
6891 ssh->kex->hash->hlen * SSH2_MKKEY_ITERS);
6892 ssh->cscipher->setiv(ssh->cs_cipher_ctx, keyspace);
6893 ssh2_mkkey(ssh,s->K,s->exchange_hash,'E',keyspace);
6894 assert(ssh->csmac->len <=
6895 ssh->kex->hash->hlen * SSH2_MKKEY_ITERS);
6896 ssh->csmac->setkey(ssh->cs_mac_ctx, keyspace);
6897 smemclr(keyspace, sizeof(keyspace));
6900 logeventf(ssh, "Initialised %.200s client->server encryption",
6901 ssh->cscipher->text_name);
6902 logeventf(ssh, "Initialised %.200s client->server MAC algorithm",
6903 ssh->csmac->text_name);
6904 if (ssh->cscomp->text_name)
6905 logeventf(ssh, "Initialised %s compression",
6906 ssh->cscomp->text_name);
6909 * Now our end of the key exchange is complete, we can send all
6910 * our queued higher-layer packets.
6912 ssh->queueing = FALSE;
6913 ssh2_pkt_queuesend(ssh);
6916 * Expect SSH2_MSG_NEWKEYS from server.
6918 crWaitUntilV(pktin);
6919 if (pktin->type != SSH2_MSG_NEWKEYS) {
6920 bombout(("expected new-keys packet from server"));
6923 ssh->incoming_data_size = 0; /* start counting from here */
6926 * We've seen server NEWKEYS, so create and initialise
6927 * server-to-client session keys.
6929 if (ssh->sc_cipher_ctx)
6930 ssh->sccipher->free_context(ssh->sc_cipher_ctx);
6931 ssh->sccipher = s->sccipher_tobe;
6932 ssh->sc_cipher_ctx = ssh->sccipher->make_context();
6934 if (ssh->sc_mac_ctx)
6935 ssh->scmac->free_context(ssh->sc_mac_ctx);
6936 ssh->scmac = s->scmac_tobe;
6937 ssh->sc_mac_ctx = ssh->scmac->make_context();
6939 if (ssh->sc_comp_ctx)
6940 ssh->sccomp->decompress_cleanup(ssh->sc_comp_ctx);
6941 ssh->sccomp = s->sccomp_tobe;
6942 ssh->sc_comp_ctx = ssh->sccomp->decompress_init();
6945 * Set IVs on server-to-client keys. Here we use the exchange
6946 * hash from the _first_ key exchange.
6949 unsigned char keyspace[SSH2_KEX_MAX_HASH_LEN * SSH2_MKKEY_ITERS];
6950 assert(sizeof(keyspace) >= ssh->kex->hash->hlen * SSH2_MKKEY_ITERS);
6951 ssh2_mkkey(ssh,s->K,s->exchange_hash,'D',keyspace);
6952 assert((ssh->sccipher->keylen+7) / 8 <=
6953 ssh->kex->hash->hlen * SSH2_MKKEY_ITERS);
6954 ssh->sccipher->setkey(ssh->sc_cipher_ctx, keyspace);
6955 ssh2_mkkey(ssh,s->K,s->exchange_hash,'B',keyspace);
6956 assert(ssh->sccipher->blksize <=
6957 ssh->kex->hash->hlen * SSH2_MKKEY_ITERS);
6958 ssh->sccipher->setiv(ssh->sc_cipher_ctx, keyspace);
6959 ssh2_mkkey(ssh,s->K,s->exchange_hash,'F',keyspace);
6960 assert(ssh->scmac->len <=
6961 ssh->kex->hash->hlen * SSH2_MKKEY_ITERS);
6962 ssh->scmac->setkey(ssh->sc_mac_ctx, keyspace);
6963 smemclr(keyspace, sizeof(keyspace));
6965 logeventf(ssh, "Initialised %.200s server->client encryption",
6966 ssh->sccipher->text_name);
6967 logeventf(ssh, "Initialised %.200s server->client MAC algorithm",
6968 ssh->scmac->text_name);
6969 if (ssh->sccomp->text_name)
6970 logeventf(ssh, "Initialised %s decompression",
6971 ssh->sccomp->text_name);
6974 * Free shared secret.
6979 * Key exchange is over. Loop straight back round if we have a
6980 * deferred rekey reason.
6982 if (ssh->deferred_rekey_reason) {
6983 logevent(ssh->deferred_rekey_reason);
6985 ssh->deferred_rekey_reason = NULL;
6986 goto begin_key_exchange;
6990 * Otherwise, schedule a timer for our next rekey.
6992 ssh->kex_in_progress = FALSE;
6993 ssh->last_rekey = GETTICKCOUNT();
6994 if (conf_get_int(ssh->conf, CONF_ssh_rekey_time) != 0)
6995 ssh->next_rekey = schedule_timer(conf_get_int(ssh->conf, CONF_ssh_rekey_time)*60*TICKSPERSEC,
6999 * Now we're encrypting. Begin returning 1 to the protocol main
7000 * function so that other things can run on top of the
7001 * transport. If we ever see a KEXINIT, we must go back to the
7004 * We _also_ go back to the start if we see pktin==NULL and
7005 * inlen negative, because this is a special signal meaning
7006 * `initiate client-driven rekey', and `in' contains a message
7007 * giving the reason for the rekey.
7009 * inlen==-1 means always initiate a rekey;
7010 * inlen==-2 means that userauth has completed successfully and
7011 * we should consider rekeying (for delayed compression).
7013 while (!((pktin && pktin->type == SSH2_MSG_KEXINIT) ||
7014 (!pktin && inlen < 0))) {
7016 if (!ssh->protocol_initial_phase_done) {
7017 ssh->protocol_initial_phase_done = TRUE;
7019 * Allow authconn to initialise itself.
7021 do_ssh2_authconn(ssh, NULL, 0, NULL);
7026 logevent("Server initiated key re-exchange");
7030 * authconn has seen a USERAUTH_SUCCEEDED. Time to enable
7031 * delayed compression, if it's available.
7033 * draft-miller-secsh-compression-delayed-00 says that you
7034 * negotiate delayed compression in the first key exchange, and
7035 * both sides start compressing when the server has sent
7036 * USERAUTH_SUCCESS. This has a race condition -- the server
7037 * can't know when the client has seen it, and thus which incoming
7038 * packets it should treat as compressed.
7040 * Instead, we do the initial key exchange without offering the
7041 * delayed methods, but note if the server offers them; when we
7042 * get here, if a delayed method was available that was higher
7043 * on our list than what we got, we initiate a rekey in which we
7044 * _do_ list the delayed methods (and hopefully get it as a
7045 * result). Subsequent rekeys will do the same.
7047 assert(!s->userauth_succeeded); /* should only happen once */
7048 s->userauth_succeeded = TRUE;
7049 if (!s->pending_compression)
7050 /* Can't see any point rekeying. */
7051 goto wait_for_rekey; /* this is utterly horrid */
7052 /* else fall through to rekey... */
7053 s->pending_compression = FALSE;
7056 * Now we've decided to rekey.
7058 * Special case: if the server bug is set that doesn't
7059 * allow rekeying, we give a different log message and
7060 * continue waiting. (If such a server _initiates_ a rekey,
7061 * we process it anyway!)
7063 if ((ssh->remote_bugs & BUG_SSH2_REKEY)) {
7064 logeventf(ssh, "Server bug prevents key re-exchange (%s)",
7066 /* Reset the counters, so that at least this message doesn't
7067 * hit the event log _too_ often. */
7068 ssh->outgoing_data_size = 0;
7069 ssh->incoming_data_size = 0;
7070 if (conf_get_int(ssh->conf, CONF_ssh_rekey_time) != 0) {
7072 schedule_timer(conf_get_int(ssh->conf, CONF_ssh_rekey_time)*60*TICKSPERSEC,
7075 goto wait_for_rekey; /* this is still utterly horrid */
7077 logeventf(ssh, "Initiating key re-exchange (%s)", (char *)in);
7080 goto begin_key_exchange;
7086 * Add data to an SSH-2 channel output buffer.
7088 static void ssh2_add_channel_data(struct ssh_channel *c, char *buf,
7091 bufchain_add(&c->v.v2.outbuffer, buf, len);
7095 * Attempt to send data on an SSH-2 channel.
7097 static int ssh2_try_send(struct ssh_channel *c)
7100 struct Packet *pktout;
7103 while (c->v.v2.remwindow > 0 && bufchain_size(&c->v.v2.outbuffer) > 0) {
7106 bufchain_prefix(&c->v.v2.outbuffer, &data, &len);
7107 if ((unsigned)len > c->v.v2.remwindow)
7108 len = c->v.v2.remwindow;
7109 if ((unsigned)len > c->v.v2.remmaxpkt)
7110 len = c->v.v2.remmaxpkt;
7111 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_DATA);
7112 ssh2_pkt_adduint32(pktout, c->remoteid);
7113 ssh2_pkt_addstring_start(pktout);
7114 ssh2_pkt_addstring_data(pktout, data, len);
7115 ssh2_pkt_send(ssh, pktout);
7116 bufchain_consume(&c->v.v2.outbuffer, len);
7117 c->v.v2.remwindow -= len;
7121 * After having sent as much data as we can, return the amount
7124 ret = bufchain_size(&c->v.v2.outbuffer);
7127 * And if there's no data pending but we need to send an EOF, send
7130 if (!ret && c->pending_eof)
7131 ssh_channel_try_eof(c);
7136 static void ssh2_try_send_and_unthrottle(Ssh ssh, struct ssh_channel *c)
7139 if (c->closes & CLOSES_SENT_EOF)
7140 return; /* don't send on channels we've EOFed */
7141 bufsize = ssh2_try_send(c);
7144 case CHAN_MAINSESSION:
7145 /* stdin need not receive an unthrottle
7146 * notification since it will be polled */
7149 x11_unthrottle(c->u.x11.xconn);
7152 /* agent sockets are request/response and need no
7153 * buffer management */
7156 pfd_unthrottle(c->u.pfd.pf);
7162 static int ssh_is_simple(Ssh ssh)
7165 * We use the 'simple' variant of the SSH protocol if we're asked
7166 * to, except not if we're also doing connection-sharing (either
7167 * tunnelling our packets over an upstream or expecting to be
7168 * tunnelled over ourselves), since then the assumption that we
7169 * have only one channel to worry about is not true after all.
7171 return (conf_get_int(ssh->conf, CONF_ssh_simple) &&
7172 !ssh->bare_connection && !ssh->connshare);
7176 * Set up most of a new ssh_channel for SSH-2.
7178 static void ssh2_channel_init(struct ssh_channel *c)
7181 c->localid = alloc_channel_id(ssh);
7183 c->pending_eof = FALSE;
7184 c->throttling_conn = FALSE;
7185 c->v.v2.locwindow = c->v.v2.locmaxwin = c->v.v2.remlocwin =
7186 ssh_is_simple(ssh) ? OUR_V2_BIGWIN : OUR_V2_WINSIZE;
7187 c->v.v2.chanreq_head = NULL;
7188 c->v.v2.throttle_state = UNTHROTTLED;
7189 bufchain_init(&c->v.v2.outbuffer);
7193 * Construct the common parts of a CHANNEL_OPEN.
7195 static struct Packet *ssh2_chanopen_init(struct ssh_channel *c, char *type)
7197 struct Packet *pktout;
7199 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_OPEN);
7200 ssh2_pkt_addstring(pktout, type);
7201 ssh2_pkt_adduint32(pktout, c->localid);
7202 ssh2_pkt_adduint32(pktout, c->v.v2.locwindow);/* our window size */
7203 ssh2_pkt_adduint32(pktout, OUR_V2_MAXPKT); /* our max pkt size */
7208 * CHANNEL_FAILURE doesn't come with any indication of what message
7209 * caused it, so we have to keep track of the outstanding
7210 * CHANNEL_REQUESTs ourselves.
7212 static void ssh2_queue_chanreq_handler(struct ssh_channel *c,
7213 cchandler_fn_t handler, void *ctx)
7215 struct outstanding_channel_request *ocr =
7216 snew(struct outstanding_channel_request);
7218 assert(!(c->closes & (CLOSES_SENT_CLOSE | CLOSES_RCVD_CLOSE)));
7219 ocr->handler = handler;
7222 if (!c->v.v2.chanreq_head)
7223 c->v.v2.chanreq_head = ocr;
7225 c->v.v2.chanreq_tail->next = ocr;
7226 c->v.v2.chanreq_tail = ocr;
7230 * Construct the common parts of a CHANNEL_REQUEST. If handler is not
7231 * NULL then a reply will be requested and the handler will be called
7232 * when it arrives. The returned packet is ready to have any
7233 * request-specific data added and be sent. Note that if a handler is
7234 * provided, it's essential that the request actually be sent.
7236 * The handler will usually be passed the response packet in pktin. If
7237 * pktin is NULL, this means that no reply will ever be forthcoming
7238 * (e.g. because the entire connection is being destroyed, or because
7239 * the server initiated channel closure before we saw the response)
7240 * and the handler should free any storage it's holding.
7242 static struct Packet *ssh2_chanreq_init(struct ssh_channel *c, char *type,
7243 cchandler_fn_t handler, void *ctx)
7245 struct Packet *pktout;
7247 assert(!(c->closes & (CLOSES_SENT_CLOSE | CLOSES_RCVD_CLOSE)));
7248 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_REQUEST);
7249 ssh2_pkt_adduint32(pktout, c->remoteid);
7250 ssh2_pkt_addstring(pktout, type);
7251 ssh2_pkt_addbool(pktout, handler != NULL);
7252 if (handler != NULL)
7253 ssh2_queue_chanreq_handler(c, handler, ctx);
7258 * Potentially enlarge the window on an SSH-2 channel.
7260 static void ssh2_handle_winadj_response(struct ssh_channel *, struct Packet *,
7262 static void ssh2_set_window(struct ssh_channel *c, int newwin)
7267 * Never send WINDOW_ADJUST for a channel that the remote side has
7268 * already sent EOF on; there's no point, since it won't be
7269 * sending any more data anyway. Ditto if _we've_ already sent
7272 if (c->closes & (CLOSES_RCVD_EOF | CLOSES_SENT_CLOSE))
7276 * Also, never widen the window for an X11 channel when we're
7277 * still waiting to see its initial auth and may yet hand it off
7280 if (c->type == CHAN_X11 && c->u.x11.initial)
7284 * If the remote end has a habit of ignoring maxpkt, limit the
7285 * window so that it has no choice (assuming it doesn't ignore the
7288 if ((ssh->remote_bugs & BUG_SSH2_MAXPKT) && newwin > OUR_V2_MAXPKT)
7289 newwin = OUR_V2_MAXPKT;
7292 * Only send a WINDOW_ADJUST if there's significantly more window
7293 * available than the other end thinks there is. This saves us
7294 * sending a WINDOW_ADJUST for every character in a shell session.
7296 * "Significant" is arbitrarily defined as half the window size.
7298 if (newwin / 2 >= c->v.v2.locwindow) {
7299 struct Packet *pktout;
7303 * In order to keep track of how much window the client
7304 * actually has available, we'd like it to acknowledge each
7305 * WINDOW_ADJUST. We can't do that directly, so we accompany
7306 * it with a CHANNEL_REQUEST that has to be acknowledged.
7308 * This is only necessary if we're opening the window wide.
7309 * If we're not, then throughput is being constrained by
7310 * something other than the maximum window size anyway.
7312 if (newwin == c->v.v2.locmaxwin &&
7313 !(ssh->remote_bugs & BUG_CHOKES_ON_WINADJ)) {
7314 up = snew(unsigned);
7315 *up = newwin - c->v.v2.locwindow;
7316 pktout = ssh2_chanreq_init(c, "winadj@putty.projects.tartarus.org",
7317 ssh2_handle_winadj_response, up);
7318 ssh2_pkt_send(ssh, pktout);
7320 if (c->v.v2.throttle_state != UNTHROTTLED)
7321 c->v.v2.throttle_state = UNTHROTTLING;
7323 /* Pretend the WINDOW_ADJUST was acked immediately. */
7324 c->v.v2.remlocwin = newwin;
7325 c->v.v2.throttle_state = THROTTLED;
7327 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_WINDOW_ADJUST);
7328 ssh2_pkt_adduint32(pktout, c->remoteid);
7329 ssh2_pkt_adduint32(pktout, newwin - c->v.v2.locwindow);
7330 ssh2_pkt_send(ssh, pktout);
7331 c->v.v2.locwindow = newwin;
7336 * Find the channel associated with a message. If there's no channel,
7337 * or it's not properly open, make a noise about it and return NULL.
7339 static struct ssh_channel *ssh2_channel_msg(Ssh ssh, struct Packet *pktin)
7341 unsigned localid = ssh_pkt_getuint32(pktin);
7342 struct ssh_channel *c;
7344 c = find234(ssh->channels, &localid, ssh_channelfind);
7346 (c->type != CHAN_SHARING && c->halfopen &&
7347 pktin->type != SSH2_MSG_CHANNEL_OPEN_CONFIRMATION &&
7348 pktin->type != SSH2_MSG_CHANNEL_OPEN_FAILURE)) {
7349 char *buf = dupprintf("Received %s for %s channel %u",
7350 ssh2_pkt_type(ssh->pkt_kctx, ssh->pkt_actx,
7352 c ? "half-open" : "nonexistent", localid);
7353 ssh_disconnect(ssh, NULL, buf, SSH2_DISCONNECT_PROTOCOL_ERROR, FALSE);
7360 static void ssh2_handle_winadj_response(struct ssh_channel *c,
7361 struct Packet *pktin, void *ctx)
7363 unsigned *sizep = ctx;
7366 * Winadj responses should always be failures. However, at least
7367 * one server ("boks_sshd") is known to return SUCCESS for channel
7368 * requests it's never heard of, such as "winadj@putty". Raised
7369 * with foxt.com as bug 090916-090424, but for the sake of a quiet
7370 * life, we don't worry about what kind of response we got.
7373 c->v.v2.remlocwin += *sizep;
7376 * winadj messages are only sent when the window is fully open, so
7377 * if we get an ack of one, we know any pending unthrottle is
7380 if (c->v.v2.throttle_state == UNTHROTTLING)
7381 c->v.v2.throttle_state = UNTHROTTLED;
7384 static void ssh2_msg_channel_response(Ssh ssh, struct Packet *pktin)
7386 struct ssh_channel *c = ssh2_channel_msg(ssh, pktin);
7387 struct outstanding_channel_request *ocr;
7390 if (c->type == CHAN_SHARING) {
7391 share_got_pkt_from_server(c->u.sharing.ctx, pktin->type,
7392 pktin->body, pktin->length);
7395 ocr = c->v.v2.chanreq_head;
7397 ssh2_msg_unexpected(ssh, pktin);
7400 ocr->handler(c, pktin, ocr->ctx);
7401 c->v.v2.chanreq_head = ocr->next;
7404 * We may now initiate channel-closing procedures, if that
7405 * CHANNEL_REQUEST was the last thing outstanding before we send
7408 ssh2_channel_check_close(c);
7411 static void ssh2_msg_channel_window_adjust(Ssh ssh, struct Packet *pktin)
7413 struct ssh_channel *c;
7414 c = ssh2_channel_msg(ssh, pktin);
7417 if (c->type == CHAN_SHARING) {
7418 share_got_pkt_from_server(c->u.sharing.ctx, pktin->type,
7419 pktin->body, pktin->length);
7422 if (!(c->closes & CLOSES_SENT_EOF)) {
7423 c->v.v2.remwindow += ssh_pkt_getuint32(pktin);
7424 ssh2_try_send_and_unthrottle(ssh, c);
7428 static void ssh2_msg_channel_data(Ssh ssh, struct Packet *pktin)
7432 struct ssh_channel *c;
7433 c = ssh2_channel_msg(ssh, pktin);
7436 if (c->type == CHAN_SHARING) {
7437 share_got_pkt_from_server(c->u.sharing.ctx, pktin->type,
7438 pktin->body, pktin->length);
7441 if (pktin->type == SSH2_MSG_CHANNEL_EXTENDED_DATA &&
7442 ssh_pkt_getuint32(pktin) != SSH2_EXTENDED_DATA_STDERR)
7443 return; /* extended but not stderr */
7444 ssh_pkt_getstring(pktin, &data, &length);
7447 c->v.v2.locwindow -= length;
7448 c->v.v2.remlocwin -= length;
7450 case CHAN_MAINSESSION:
7452 from_backend(ssh->frontend, pktin->type ==
7453 SSH2_MSG_CHANNEL_EXTENDED_DATA,
7457 bufsize = x11_send(c->u.x11.xconn, data, length);
7460 bufsize = pfd_send(c->u.pfd.pf, data, length);
7463 while (length > 0) {
7464 if (c->u.a.lensofar < 4) {
7465 unsigned int l = min(4 - c->u.a.lensofar,
7467 memcpy(c->u.a.msglen + c->u.a.lensofar,
7471 c->u.a.lensofar += l;
7473 if (c->u.a.lensofar == 4) {
7475 4 + GET_32BIT(c->u.a.msglen);
7476 c->u.a.message = snewn(c->u.a.totallen,
7478 memcpy(c->u.a.message, c->u.a.msglen, 4);
7480 if (c->u.a.lensofar >= 4 && length > 0) {
7482 min(c->u.a.totallen - c->u.a.lensofar,
7484 memcpy(c->u.a.message + c->u.a.lensofar,
7488 c->u.a.lensofar += l;
7490 if (c->u.a.lensofar == c->u.a.totallen) {
7493 c->u.a.outstanding_requests++;
7494 if (agent_query(c->u.a.message,
7497 ssh_agentf_callback, c))
7498 ssh_agentf_callback(c, reply, replylen);
7499 sfree(c->u.a.message);
7500 c->u.a.message = NULL;
7501 c->u.a.lensofar = 0;
7508 * If it looks like the remote end hit the end of its window,
7509 * and we didn't want it to do that, think about using a
7512 if (c->v.v2.remlocwin <= 0 && c->v.v2.throttle_state == UNTHROTTLED &&
7513 c->v.v2.locmaxwin < 0x40000000)
7514 c->v.v2.locmaxwin += OUR_V2_WINSIZE;
7516 * If we are not buffering too much data,
7517 * enlarge the window again at the remote side.
7518 * If we are buffering too much, we may still
7519 * need to adjust the window if the server's
7522 ssh2_set_window(c, bufsize < c->v.v2.locmaxwin ?
7523 c->v.v2.locmaxwin - bufsize : 0);
7525 * If we're either buffering way too much data, or if we're
7526 * buffering anything at all and we're in "simple" mode,
7527 * throttle the whole channel.
7529 if ((bufsize > c->v.v2.locmaxwin || (ssh_is_simple(ssh) && bufsize>0))
7530 && !c->throttling_conn) {
7531 c->throttling_conn = 1;
7532 ssh_throttle_conn(ssh, +1);
7537 static void ssh_check_termination(Ssh ssh)
7539 if (ssh->version == 2 &&
7540 !conf_get_int(ssh->conf, CONF_ssh_no_shell) &&
7541 count234(ssh->channels) == 0 &&
7542 !(ssh->connshare && share_ndownstreams(ssh->connshare) > 0)) {
7544 * We used to send SSH_MSG_DISCONNECT here, because I'd
7545 * believed that _every_ conforming SSH-2 connection had to
7546 * end with a disconnect being sent by at least one side;
7547 * apparently I was wrong and it's perfectly OK to
7548 * unceremoniously slam the connection shut when you're done,
7549 * and indeed OpenSSH feels this is more polite than sending a
7550 * DISCONNECT. So now we don't.
7552 ssh_disconnect(ssh, "All channels closed", NULL, 0, TRUE);
7556 void ssh_sharing_downstream_connected(Ssh ssh, unsigned id)
7558 logeventf(ssh, "Connection sharing downstream #%u connected", id);
7561 void ssh_sharing_downstream_disconnected(Ssh ssh, unsigned id)
7563 logeventf(ssh, "Connection sharing downstream #%u disconnected", id);
7564 ssh_check_termination(ssh);
7567 void ssh_sharing_logf(Ssh ssh, unsigned id, const char *logfmt, ...)
7572 va_start(ap, logfmt);
7573 buf = dupvprintf(logfmt, ap);
7576 logeventf(ssh, "Connection sharing downstream #%u: %s", id, buf);
7578 logeventf(ssh, "Connection sharing: %s", buf);
7582 static void ssh_channel_destroy(struct ssh_channel *c)
7587 case CHAN_MAINSESSION:
7588 ssh->mainchan = NULL;
7589 update_specials_menu(ssh->frontend);
7592 if (c->u.x11.xconn != NULL)
7593 x11_close(c->u.x11.xconn);
7594 logevent("Forwarded X11 connection terminated");
7597 sfree(c->u.a.message);
7600 if (c->u.pfd.pf != NULL)
7601 pfd_close(c->u.pfd.pf);
7602 logevent("Forwarded port closed");
7606 del234(ssh->channels, c);
7607 if (ssh->version == 2) {
7608 bufchain_clear(&c->v.v2.outbuffer);
7609 assert(c->v.v2.chanreq_head == NULL);
7614 * If that was the last channel left open, we might need to
7617 ssh_check_termination(ssh);
7620 static void ssh2_channel_check_close(struct ssh_channel *c)
7623 struct Packet *pktout;
7627 * If we've sent out our own CHANNEL_OPEN but not yet seen
7628 * either OPEN_CONFIRMATION or OPEN_FAILURE in response, then
7629 * it's too early to be sending close messages of any kind.
7634 if ((!((CLOSES_SENT_EOF | CLOSES_RCVD_EOF) & ~c->closes) ||
7635 c->type == CHAN_ZOMBIE) &&
7636 !c->v.v2.chanreq_head &&
7637 !(c->closes & CLOSES_SENT_CLOSE)) {
7639 * We have both sent and received EOF (or the channel is a
7640 * zombie), and we have no outstanding channel requests, which
7641 * means the channel is in final wind-up. But we haven't sent
7642 * CLOSE, so let's do so now.
7644 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_CLOSE);
7645 ssh2_pkt_adduint32(pktout, c->remoteid);
7646 ssh2_pkt_send(ssh, pktout);
7647 c->closes |= CLOSES_SENT_EOF | CLOSES_SENT_CLOSE;
7650 if (!((CLOSES_SENT_CLOSE | CLOSES_RCVD_CLOSE) & ~c->closes)) {
7651 assert(c->v.v2.chanreq_head == NULL);
7653 * We have both sent and received CLOSE, which means we're
7654 * completely done with the channel.
7656 ssh_channel_destroy(c);
7660 static void ssh2_channel_got_eof(struct ssh_channel *c)
7662 if (c->closes & CLOSES_RCVD_EOF)
7663 return; /* already seen EOF */
7664 c->closes |= CLOSES_RCVD_EOF;
7666 if (c->type == CHAN_X11) {
7667 x11_send_eof(c->u.x11.xconn);
7668 } else if (c->type == CHAN_AGENT) {
7669 if (c->u.a.outstanding_requests == 0) {
7670 /* Manufacture an outgoing EOF in response to the incoming one. */
7671 sshfwd_write_eof(c);
7673 } else if (c->type == CHAN_SOCKDATA) {
7674 pfd_send_eof(c->u.pfd.pf);
7675 } else if (c->type == CHAN_MAINSESSION) {
7678 if (!ssh->sent_console_eof &&
7679 (from_backend_eof(ssh->frontend) || ssh->got_pty)) {
7681 * Either from_backend_eof told us that the front end
7682 * wants us to close the outgoing side of the connection
7683 * as soon as we see EOF from the far end, or else we've
7684 * unilaterally decided to do that because we've allocated
7685 * a remote pty and hence EOF isn't a particularly
7686 * meaningful concept.
7688 sshfwd_write_eof(c);
7690 ssh->sent_console_eof = TRUE;
7693 ssh2_channel_check_close(c);
7696 static void ssh2_msg_channel_eof(Ssh ssh, struct Packet *pktin)
7698 struct ssh_channel *c;
7700 c = ssh2_channel_msg(ssh, pktin);
7703 if (c->type == CHAN_SHARING) {
7704 share_got_pkt_from_server(c->u.sharing.ctx, pktin->type,
7705 pktin->body, pktin->length);
7708 ssh2_channel_got_eof(c);
7711 static void ssh2_msg_channel_close(Ssh ssh, struct Packet *pktin)
7713 struct ssh_channel *c;
7715 c = ssh2_channel_msg(ssh, pktin);
7718 if (c->type == CHAN_SHARING) {
7719 share_got_pkt_from_server(c->u.sharing.ctx, pktin->type,
7720 pktin->body, pktin->length);
7725 * When we receive CLOSE on a channel, we assume it comes with an
7726 * implied EOF if we haven't seen EOF yet.
7728 ssh2_channel_got_eof(c);
7730 if (!(ssh->remote_bugs & BUG_SENDS_LATE_REQUEST_REPLY)) {
7732 * It also means we stop expecting to see replies to any
7733 * outstanding channel requests, so clean those up too.
7734 * (ssh_chanreq_init will enforce by assertion that we don't
7735 * subsequently put anything back on this list.)
7737 while (c->v.v2.chanreq_head) {
7738 struct outstanding_channel_request *ocr = c->v.v2.chanreq_head;
7739 ocr->handler(c, NULL, ocr->ctx);
7740 c->v.v2.chanreq_head = ocr->next;
7746 * And we also send an outgoing EOF, if we haven't already, on the
7747 * assumption that CLOSE is a pretty forceful announcement that
7748 * the remote side is doing away with the entire channel. (If it
7749 * had wanted to send us EOF and continue receiving data from us,
7750 * it would have just sent CHANNEL_EOF.)
7752 if (!(c->closes & CLOSES_SENT_EOF)) {
7754 * Make sure we don't read any more from whatever our local
7755 * data source is for this channel.
7758 case CHAN_MAINSESSION:
7759 ssh->send_ok = 0; /* stop trying to read from stdin */
7762 x11_override_throttle(c->u.x11.xconn, 1);
7765 pfd_override_throttle(c->u.pfd.pf, 1);
7770 * Abandon any buffered data we still wanted to send to this
7771 * channel. Receiving a CHANNEL_CLOSE is an indication that
7772 * the server really wants to get on and _destroy_ this
7773 * channel, and it isn't going to send us any further
7774 * WINDOW_ADJUSTs to permit us to send pending stuff.
7776 bufchain_clear(&c->v.v2.outbuffer);
7779 * Send outgoing EOF.
7781 sshfwd_write_eof(c);
7785 * Now process the actual close.
7787 if (!(c->closes & CLOSES_RCVD_CLOSE)) {
7788 c->closes |= CLOSES_RCVD_CLOSE;
7789 ssh2_channel_check_close(c);
7793 static void ssh2_msg_channel_open_confirmation(Ssh ssh, struct Packet *pktin)
7795 struct ssh_channel *c;
7797 c = ssh2_channel_msg(ssh, pktin);
7800 if (c->type == CHAN_SHARING) {
7801 share_got_pkt_from_server(c->u.sharing.ctx, pktin->type,
7802 pktin->body, pktin->length);
7805 assert(c->halfopen); /* ssh2_channel_msg will have enforced this */
7806 c->remoteid = ssh_pkt_getuint32(pktin);
7807 c->halfopen = FALSE;
7808 c->v.v2.remwindow = ssh_pkt_getuint32(pktin);
7809 c->v.v2.remmaxpkt = ssh_pkt_getuint32(pktin);
7811 if (c->type == CHAN_SOCKDATA_DORMANT) {
7812 c->type = CHAN_SOCKDATA;
7814 pfd_confirm(c->u.pfd.pf);
7815 } else if (c->type == CHAN_ZOMBIE) {
7817 * This case can occur if a local socket error occurred
7818 * between us sending out CHANNEL_OPEN and receiving
7819 * OPEN_CONFIRMATION. In this case, all we can do is
7820 * immediately initiate close proceedings now that we know the
7821 * server's id to put in the close message.
7823 ssh2_channel_check_close(c);
7826 * We never expect to receive OPEN_CONFIRMATION for any
7827 * *other* channel type (since only local-to-remote port
7828 * forwardings cause us to send CHANNEL_OPEN after the main
7829 * channel is live - all other auxiliary channel types are
7830 * initiated from the server end). It's safe to enforce this
7831 * by assertion rather than by ssh_disconnect, because the
7832 * real point is that we never constructed a half-open channel
7833 * structure in the first place with any type other than the
7836 assert(!"Funny channel type in ssh2_msg_channel_open_confirmation");
7840 ssh_channel_try_eof(c); /* in case we had a pending EOF */
7843 static void ssh2_msg_channel_open_failure(Ssh ssh, struct Packet *pktin)
7845 static const char *const reasons[] = {
7846 "<unknown reason code>",
7847 "Administratively prohibited",
7849 "Unknown channel type",
7850 "Resource shortage",
7852 unsigned reason_code;
7853 char *reason_string;
7855 struct ssh_channel *c;
7857 c = ssh2_channel_msg(ssh, pktin);
7860 if (c->type == CHAN_SHARING) {
7861 share_got_pkt_from_server(c->u.sharing.ctx, pktin->type,
7862 pktin->body, pktin->length);
7865 assert(c->halfopen); /* ssh2_channel_msg will have enforced this */
7867 if (c->type == CHAN_SOCKDATA_DORMANT) {
7868 reason_code = ssh_pkt_getuint32(pktin);
7869 if (reason_code >= lenof(reasons))
7870 reason_code = 0; /* ensure reasons[reason_code] in range */
7871 ssh_pkt_getstring(pktin, &reason_string, &reason_length);
7872 logeventf(ssh, "Forwarded connection refused by server: %s [%.*s]",
7873 reasons[reason_code], reason_length, reason_string);
7875 pfd_close(c->u.pfd.pf);
7876 } else if (c->type == CHAN_ZOMBIE) {
7878 * This case can occur if a local socket error occurred
7879 * between us sending out CHANNEL_OPEN and receiving
7880 * OPEN_FAILURE. In this case, we need do nothing except allow
7881 * the code below to throw the half-open channel away.
7885 * We never expect to receive OPEN_FAILURE for any *other*
7886 * channel type (since only local-to-remote port forwardings
7887 * cause us to send CHANNEL_OPEN after the main channel is
7888 * live - all other auxiliary channel types are initiated from
7889 * the server end). It's safe to enforce this by assertion
7890 * rather than by ssh_disconnect, because the real point is
7891 * that we never constructed a half-open channel structure in
7892 * the first place with any type other than the above.
7894 assert(!"Funny channel type in ssh2_msg_channel_open_failure");
7897 del234(ssh->channels, c);
7901 static void ssh2_msg_channel_request(Ssh ssh, struct Packet *pktin)
7904 int typelen, want_reply;
7905 int reply = SSH2_MSG_CHANNEL_FAILURE; /* default */
7906 struct ssh_channel *c;
7907 struct Packet *pktout;
7909 c = ssh2_channel_msg(ssh, pktin);
7912 if (c->type == CHAN_SHARING) {
7913 share_got_pkt_from_server(c->u.sharing.ctx, pktin->type,
7914 pktin->body, pktin->length);
7917 ssh_pkt_getstring(pktin, &type, &typelen);
7918 want_reply = ssh2_pkt_getbool(pktin);
7920 if (c->closes & CLOSES_SENT_CLOSE) {
7922 * We don't reply to channel requests after we've sent
7923 * CHANNEL_CLOSE for the channel, because our reply might
7924 * cross in the network with the other side's CHANNEL_CLOSE
7925 * and arrive after they have wound the channel up completely.
7931 * Having got the channel number, we now look at
7932 * the request type string to see if it's something
7935 if (c == ssh->mainchan) {
7937 * We recognise "exit-status" and "exit-signal" on
7938 * the primary channel.
7940 if (typelen == 11 &&
7941 !memcmp(type, "exit-status", 11)) {
7943 ssh->exitcode = ssh_pkt_getuint32(pktin);
7944 logeventf(ssh, "Server sent command exit status %d",
7946 reply = SSH2_MSG_CHANNEL_SUCCESS;
7948 } else if (typelen == 11 &&
7949 !memcmp(type, "exit-signal", 11)) {
7951 int is_plausible = TRUE, is_int = FALSE;
7952 char *fmt_sig = "", *fmt_msg = "";
7954 int msglen = 0, core = FALSE;
7955 /* ICK: older versions of OpenSSH (e.g. 3.4p1)
7956 * provide an `int' for the signal, despite its
7957 * having been a `string' in the drafts of RFC 4254 since at
7958 * least 2001. (Fixed in session.c 1.147.) Try to
7959 * infer which we can safely parse it as. */
7961 unsigned char *p = pktin->body +
7963 long len = pktin->length - pktin->savedpos;
7964 unsigned long num = GET_32BIT(p); /* what is it? */
7965 /* If it's 0, it hardly matters; assume string */
7969 int maybe_int = FALSE, maybe_str = FALSE;
7970 #define CHECK_HYPOTHESIS(offset, result) \
7973 int q = toint(offset); \
7974 if (q >= 0 && q+4 <= len) { \
7975 q = toint(q + 4 + GET_32BIT(p+q)); \
7976 if (q >= 0 && q+4 <= len && \
7977 ((q = toint(q + 4 + GET_32BIT(p+q))) != 0) && \
7982 CHECK_HYPOTHESIS(4+1, maybe_int);
7983 CHECK_HYPOTHESIS(4+num+1, maybe_str);
7984 #undef CHECK_HYPOTHESIS
7985 if (maybe_int && !maybe_str)
7987 else if (!maybe_int && maybe_str)
7990 /* Crikey. Either or neither. Panic. */
7991 is_plausible = FALSE;
7994 ssh->exitcode = 128; /* means `unknown signal' */
7997 /* Old non-standard OpenSSH. */
7998 int signum = ssh_pkt_getuint32(pktin);
7999 fmt_sig = dupprintf(" %d", signum);
8000 ssh->exitcode = 128 + signum;
8002 /* As per RFC 4254. */
8005 ssh_pkt_getstring(pktin, &sig, &siglen);
8006 /* Signal name isn't supposed to be blank, but
8007 * let's cope gracefully if it is. */
8009 fmt_sig = dupprintf(" \"%.*s\"",
8014 * Really hideous method of translating the
8015 * signal description back into a locally
8016 * meaningful number.
8021 #define TRANSLATE_SIGNAL(s) \
8022 else if (siglen == lenof(#s)-1 && !memcmp(sig, #s, siglen)) \
8023 ssh->exitcode = 128 + SIG ## s
8025 TRANSLATE_SIGNAL(ABRT);
8028 TRANSLATE_SIGNAL(ALRM);
8031 TRANSLATE_SIGNAL(FPE);
8034 TRANSLATE_SIGNAL(HUP);
8037 TRANSLATE_SIGNAL(ILL);
8040 TRANSLATE_SIGNAL(INT);
8043 TRANSLATE_SIGNAL(KILL);
8046 TRANSLATE_SIGNAL(PIPE);
8049 TRANSLATE_SIGNAL(QUIT);
8052 TRANSLATE_SIGNAL(SEGV);
8055 TRANSLATE_SIGNAL(TERM);
8058 TRANSLATE_SIGNAL(USR1);
8061 TRANSLATE_SIGNAL(USR2);
8063 #undef TRANSLATE_SIGNAL
8065 ssh->exitcode = 128;
8067 core = ssh2_pkt_getbool(pktin);
8068 ssh_pkt_getstring(pktin, &msg, &msglen);
8070 fmt_msg = dupprintf(" (\"%.*s\")", msglen, msg);
8072 /* ignore lang tag */
8073 } /* else don't attempt to parse */
8074 logeventf(ssh, "Server exited on signal%s%s%s",
8075 fmt_sig, core ? " (core dumped)" : "",
8077 if (*fmt_sig) sfree(fmt_sig);
8078 if (*fmt_msg) sfree(fmt_msg);
8079 reply = SSH2_MSG_CHANNEL_SUCCESS;
8084 * This is a channel request we don't know
8085 * about, so we now either ignore the request
8086 * or respond with CHANNEL_FAILURE, depending
8089 reply = SSH2_MSG_CHANNEL_FAILURE;
8092 pktout = ssh2_pkt_init(reply);
8093 ssh2_pkt_adduint32(pktout, c->remoteid);
8094 ssh2_pkt_send(ssh, pktout);
8098 static void ssh2_msg_global_request(Ssh ssh, struct Packet *pktin)
8101 int typelen, want_reply;
8102 struct Packet *pktout;
8104 ssh_pkt_getstring(pktin, &type, &typelen);
8105 want_reply = ssh2_pkt_getbool(pktin);
8108 * We currently don't support any global requests
8109 * at all, so we either ignore the request or
8110 * respond with REQUEST_FAILURE, depending on
8114 pktout = ssh2_pkt_init(SSH2_MSG_REQUEST_FAILURE);
8115 ssh2_pkt_send(ssh, pktout);
8119 struct X11FakeAuth *ssh_sharing_add_x11_display(Ssh ssh, int authtype,
8123 struct X11FakeAuth *auth;
8126 * Make up a new set of fake X11 auth data, and add it to the tree
8127 * of currently valid ones with an indication of the sharing
8128 * context that it's relevant to.
8130 auth = x11_invent_fake_auth(ssh->x11authtree, authtype);
8131 auth->share_cs = share_cs;
8132 auth->share_chan = share_chan;
8137 void ssh_sharing_remove_x11_display(Ssh ssh, struct X11FakeAuth *auth)
8139 del234(ssh->x11authtree, auth);
8140 x11_free_fake_auth(auth);
8143 static void ssh2_msg_channel_open(Ssh ssh, struct Packet *pktin)
8151 struct ssh_channel *c;
8152 unsigned remid, winsize, pktsize;
8153 unsigned our_winsize_override = 0;
8154 struct Packet *pktout;
8156 ssh_pkt_getstring(pktin, &type, &typelen);
8157 c = snew(struct ssh_channel);
8160 remid = ssh_pkt_getuint32(pktin);
8161 winsize = ssh_pkt_getuint32(pktin);
8162 pktsize = ssh_pkt_getuint32(pktin);
8164 if (typelen == 3 && !memcmp(type, "x11", 3)) {
8167 ssh_pkt_getstring(pktin, &peeraddr, &peeraddrlen);
8168 addrstr = snewn(peeraddrlen+1, char);
8169 memcpy(addrstr, peeraddr, peeraddrlen);
8170 addrstr[peeraddrlen] = '\0';
8171 peerport = ssh_pkt_getuint32(pktin);
8173 logeventf(ssh, "Received X11 connect request from %s:%d",
8176 if (!ssh->X11_fwd_enabled && !ssh->connshare)
8177 error = "X11 forwarding is not enabled";
8179 c->u.x11.xconn = x11_init(ssh->x11authtree, c,
8182 c->u.x11.initial = TRUE;
8185 * If we are a connection-sharing upstream, then we should
8186 * initially present a very small window, adequate to take
8187 * the X11 initial authorisation packet but not much more.
8188 * Downstream will then present us a larger window (by
8189 * fiat of the connection-sharing protocol) and we can
8190 * guarantee to send a positive-valued WINDOW_ADJUST.
8193 our_winsize_override = 128;
8195 logevent("Opened X11 forward channel");
8199 } else if (typelen == 15 &&
8200 !memcmp(type, "forwarded-tcpip", 15)) {
8201 struct ssh_rportfwd pf, *realpf;
8204 ssh_pkt_getstring(pktin, &shost, &shostlen);/* skip address */
8205 pf.shost = dupprintf("%.*s", shostlen, shost);
8206 pf.sport = ssh_pkt_getuint32(pktin);
8207 ssh_pkt_getstring(pktin, &peeraddr, &peeraddrlen);
8208 peerport = ssh_pkt_getuint32(pktin);
8209 realpf = find234(ssh->rportfwds, &pf, NULL);
8210 logeventf(ssh, "Received remote port %s:%d open request "
8211 "from %s:%d", pf.shost, pf.sport, peeraddr, peerport);
8214 if (realpf == NULL) {
8215 error = "Remote port is not recognised";
8219 if (realpf->share_ctx) {
8221 * This port forwarding is on behalf of a
8222 * connection-sharing downstream, so abandon our own
8223 * channel-open procedure and just pass the message on
8226 share_got_pkt_from_server(realpf->share_ctx, pktin->type,
8227 pktin->body, pktin->length);
8232 err = pfd_connect(&c->u.pfd.pf, realpf->dhost, realpf->dport,
8233 c, ssh->conf, realpf->pfrec->addressfamily);
8234 logeventf(ssh, "Attempting to forward remote port to "
8235 "%s:%d", realpf->dhost, realpf->dport);
8237 logeventf(ssh, "Port open failed: %s", err);
8239 error = "Port open failed";
8241 logevent("Forwarded port opened successfully");
8242 c->type = CHAN_SOCKDATA;
8245 } else if (typelen == 22 &&
8246 !memcmp(type, "auth-agent@openssh.com", 22)) {
8247 if (!ssh->agentfwd_enabled)
8248 error = "Agent forwarding is not enabled";
8250 c->type = CHAN_AGENT; /* identify channel type */
8251 c->u.a.lensofar = 0;
8252 c->u.a.message = NULL;
8253 c->u.a.outstanding_requests = 0;
8256 error = "Unsupported channel type requested";
8259 c->remoteid = remid;
8260 c->halfopen = FALSE;
8262 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_OPEN_FAILURE);
8263 ssh2_pkt_adduint32(pktout, c->remoteid);
8264 ssh2_pkt_adduint32(pktout, SSH2_OPEN_CONNECT_FAILED);
8265 ssh2_pkt_addstring(pktout, error);
8266 ssh2_pkt_addstring(pktout, "en"); /* language tag */
8267 ssh2_pkt_send(ssh, pktout);
8268 logeventf(ssh, "Rejected channel open: %s", error);
8271 ssh2_channel_init(c);
8272 c->v.v2.remwindow = winsize;
8273 c->v.v2.remmaxpkt = pktsize;
8274 if (our_winsize_override) {
8275 c->v.v2.locwindow = c->v.v2.locmaxwin = c->v.v2.remlocwin =
8276 our_winsize_override;
8278 add234(ssh->channels, c);
8279 pktout = ssh2_pkt_init(SSH2_MSG_CHANNEL_OPEN_CONFIRMATION);
8280 ssh2_pkt_adduint32(pktout, c->remoteid);
8281 ssh2_pkt_adduint32(pktout, c->localid);
8282 ssh2_pkt_adduint32(pktout, c->v.v2.locwindow);
8283 ssh2_pkt_adduint32(pktout, OUR_V2_MAXPKT); /* our max pkt size */
8284 ssh2_pkt_send(ssh, pktout);
8288 void sshfwd_x11_sharing_handover(struct ssh_channel *c,
8289 void *share_cs, void *share_chan,
8290 const char *peer_addr, int peer_port,
8291 int endian, int protomajor, int protominor,
8292 const void *initial_data, int initial_len)
8295 * This function is called when we've just discovered that an X
8296 * forwarding channel on which we'd been handling the initial auth
8297 * ourselves turns out to be destined for a connection-sharing
8298 * downstream. So we turn the channel into a CHAN_SHARING, meaning
8299 * that we completely stop tracking windows and buffering data and
8300 * just pass more or less unmodified SSH messages back and forth.
8302 c->type = CHAN_SHARING;
8303 c->u.sharing.ctx = share_cs;
8304 share_setup_x11_channel(share_cs, share_chan,
8305 c->localid, c->remoteid, c->v.v2.remwindow,
8306 c->v.v2.remmaxpkt, c->v.v2.locwindow,
8307 peer_addr, peer_port, endian,
8308 protomajor, protominor,
8309 initial_data, initial_len);
8312 void sshfwd_x11_is_local(struct ssh_channel *c)
8315 * This function is called when we've just discovered that an X
8316 * forwarding channel is _not_ destined for a connection-sharing
8317 * downstream but we're going to handle it ourselves. We stop
8318 * presenting a cautiously small window and go into ordinary data
8321 c->u.x11.initial = FALSE;
8322 ssh2_set_window(c, ssh_is_simple(c->ssh) ? OUR_V2_BIGWIN : OUR_V2_WINSIZE);
8326 * Buffer banner messages for later display at some convenient point,
8327 * if we're going to display them.
8329 static void ssh2_msg_userauth_banner(Ssh ssh, struct Packet *pktin)
8331 /* Arbitrary limit to prevent unbounded inflation of buffer */
8332 if (conf_get_int(ssh->conf, CONF_ssh_show_banner) &&
8333 bufchain_size(&ssh->banner) <= 131072) {
8334 char *banner = NULL;
8336 ssh_pkt_getstring(pktin, &banner, &size);
8338 bufchain_add(&ssh->banner, banner, size);
8342 /* Helper function to deal with sending tty modes for "pty-req" */
8343 static void ssh2_send_ttymode(void *data, char *mode, char *val)
8345 struct Packet *pktout = (struct Packet *)data;
8347 unsigned int arg = 0;
8348 while (strcmp(mode, ssh_ttymodes[i].mode) != 0) i++;
8349 if (i == lenof(ssh_ttymodes)) return;
8350 switch (ssh_ttymodes[i].type) {
8352 arg = ssh_tty_parse_specchar(val);
8355 arg = ssh_tty_parse_boolean(val);
8358 ssh2_pkt_addbyte(pktout, ssh_ttymodes[i].opcode);
8359 ssh2_pkt_adduint32(pktout, arg);
8362 static void ssh2_setup_x11(struct ssh_channel *c, struct Packet *pktin,
8365 struct ssh2_setup_x11_state {
8369 struct Packet *pktout;
8370 crStateP(ssh2_setup_x11_state, ctx);
8374 logevent("Requesting X11 forwarding");
8375 pktout = ssh2_chanreq_init(ssh->mainchan, "x11-req",
8377 ssh2_pkt_addbool(pktout, 0); /* many connections */
8378 ssh2_pkt_addstring(pktout, ssh->x11auth->protoname);
8379 ssh2_pkt_addstring(pktout, ssh->x11auth->datastring);
8380 ssh2_pkt_adduint32(pktout, ssh->x11disp->screennum);
8381 ssh2_pkt_send(ssh, pktout);
8383 /* Wait to be called back with either a response packet, or NULL
8384 * meaning clean up and free our data */
8388 if (pktin->type == SSH2_MSG_CHANNEL_SUCCESS) {
8389 logevent("X11 forwarding enabled");
8390 ssh->X11_fwd_enabled = TRUE;
8392 logevent("X11 forwarding refused");
8398 static void ssh2_setup_agent(struct ssh_channel *c, struct Packet *pktin,
8401 struct ssh2_setup_agent_state {
8405 struct Packet *pktout;
8406 crStateP(ssh2_setup_agent_state, ctx);
8410 logevent("Requesting OpenSSH-style agent forwarding");
8411 pktout = ssh2_chanreq_init(ssh->mainchan, "auth-agent-req@openssh.com",
8412 ssh2_setup_agent, s);
8413 ssh2_pkt_send(ssh, pktout);
8415 /* Wait to be called back with either a response packet, or NULL
8416 * meaning clean up and free our data */
8420 if (pktin->type == SSH2_MSG_CHANNEL_SUCCESS) {
8421 logevent("Agent forwarding enabled");
8422 ssh->agentfwd_enabled = TRUE;
8424 logevent("Agent forwarding refused");
8430 static void ssh2_setup_pty(struct ssh_channel *c, struct Packet *pktin,
8433 struct ssh2_setup_pty_state {
8437 struct Packet *pktout;
8438 crStateP(ssh2_setup_pty_state, ctx);
8442 /* Unpick the terminal-speed string. */
8443 /* XXX perhaps we should allow no speeds to be sent. */
8444 ssh->ospeed = 38400; ssh->ispeed = 38400; /* last-resort defaults */
8445 sscanf(conf_get_str(ssh->conf, CONF_termspeed), "%d,%d", &ssh->ospeed, &ssh->ispeed);
8446 /* Build the pty request. */
8447 pktout = ssh2_chanreq_init(ssh->mainchan, "pty-req",
8449 ssh2_pkt_addstring(pktout, conf_get_str(ssh->conf, CONF_termtype));
8450 ssh2_pkt_adduint32(pktout, ssh->term_width);
8451 ssh2_pkt_adduint32(pktout, ssh->term_height);
8452 ssh2_pkt_adduint32(pktout, 0); /* pixel width */
8453 ssh2_pkt_adduint32(pktout, 0); /* pixel height */
8454 ssh2_pkt_addstring_start(pktout);
8455 parse_ttymodes(ssh, ssh2_send_ttymode, (void *)pktout);
8456 ssh2_pkt_addbyte(pktout, SSH2_TTY_OP_ISPEED);
8457 ssh2_pkt_adduint32(pktout, ssh->ispeed);
8458 ssh2_pkt_addbyte(pktout, SSH2_TTY_OP_OSPEED);
8459 ssh2_pkt_adduint32(pktout, ssh->ospeed);
8460 ssh2_pkt_addstring_data(pktout, "\0", 1); /* TTY_OP_END */
8461 ssh2_pkt_send(ssh, pktout);
8462 ssh->state = SSH_STATE_INTERMED;
8464 /* Wait to be called back with either a response packet, or NULL
8465 * meaning clean up and free our data */
8469 if (pktin->type == SSH2_MSG_CHANNEL_SUCCESS) {
8470 logeventf(ssh, "Allocated pty (ospeed %dbps, ispeed %dbps)",
8471 ssh->ospeed, ssh->ispeed);
8472 ssh->got_pty = TRUE;
8474 c_write_str(ssh, "Server refused to allocate pty\r\n");
8475 ssh->editing = ssh->echoing = 1;
8482 static void ssh2_setup_env(struct ssh_channel *c, struct Packet *pktin,
8485 struct ssh2_setup_env_state {
8487 int num_env, env_left, env_ok;
8490 struct Packet *pktout;
8491 crStateP(ssh2_setup_env_state, ctx);
8496 * Send environment variables.
8498 * Simplest thing here is to send all the requests at once, and
8499 * then wait for a whole bunch of successes or failures.
8505 for (val = conf_get_str_strs(ssh->conf, CONF_environmt, NULL, &key);
8507 val = conf_get_str_strs(ssh->conf, CONF_environmt, key, &key)) {
8508 pktout = ssh2_chanreq_init(ssh->mainchan, "env", ssh2_setup_env, s);
8509 ssh2_pkt_addstring(pktout, key);
8510 ssh2_pkt_addstring(pktout, val);
8511 ssh2_pkt_send(ssh, pktout);
8516 logeventf(ssh, "Sent %d environment variables", s->num_env);
8521 s->env_left = s->num_env;
8523 while (s->env_left > 0) {
8524 /* Wait to be called back with either a response packet,
8525 * or NULL meaning clean up and free our data */
8527 if (!pktin) goto out;
8528 if (pktin->type == SSH2_MSG_CHANNEL_SUCCESS)
8533 if (s->env_ok == s->num_env) {
8534 logevent("All environment variables successfully set");
8535 } else if (s->env_ok == 0) {
8536 logevent("All environment variables refused");
8537 c_write_str(ssh, "Server refused to set environment variables\r\n");
8539 logeventf(ssh, "%d environment variables refused",
8540 s->num_env - s->env_ok);
8541 c_write_str(ssh, "Server refused to set all environment variables\r\n");
8549 * Handle the SSH-2 userauth and connection layers.
8551 static void ssh2_msg_authconn(Ssh ssh, struct Packet *pktin)
8553 do_ssh2_authconn(ssh, NULL, 0, pktin);
8556 static void ssh2_response_authconn(struct ssh_channel *c, struct Packet *pktin,
8560 do_ssh2_authconn(c->ssh, NULL, 0, pktin);
8563 static void do_ssh2_authconn(Ssh ssh, unsigned char *in, int inlen,
8564 struct Packet *pktin)
8566 struct do_ssh2_authconn_state {
8570 AUTH_TYPE_PUBLICKEY,
8571 AUTH_TYPE_PUBLICKEY_OFFER_LOUD,
8572 AUTH_TYPE_PUBLICKEY_OFFER_QUIET,
8574 AUTH_TYPE_GSSAPI, /* always QUIET */
8575 AUTH_TYPE_KEYBOARD_INTERACTIVE,
8576 AUTH_TYPE_KEYBOARD_INTERACTIVE_QUIET
8578 int done_service_req;
8579 int gotit, need_pw, can_pubkey, can_passwd, can_keyb_inter;
8580 int tried_pubkey_config, done_agent;
8585 int kbd_inter_refused;
8586 int we_are_in, userauth_success;
8587 prompts_t *cur_prompt;
8592 void *publickey_blob;
8593 int publickey_bloblen;
8594 int publickey_encrypted;
8595 char *publickey_algorithm;
8596 char *publickey_comment;
8597 unsigned char agent_request[5], *agent_response, *agentp;
8598 int agent_responselen;
8599 unsigned char *pkblob_in_agent;
8601 char *pkblob, *alg, *commentp;
8602 int pklen, alglen, commentlen;
8603 int siglen, retlen, len;
8604 char *q, *agentreq, *ret;
8606 struct Packet *pktout;
8609 struct ssh_gss_library *gsslib;
8610 Ssh_gss_ctx gss_ctx;
8611 Ssh_gss_buf gss_buf;
8612 Ssh_gss_buf gss_rcvtok, gss_sndtok;
8613 Ssh_gss_name gss_srv_name;
8614 Ssh_gss_stat gss_stat;
8617 crState(do_ssh2_authconn_state);
8621 /* Register as a handler for all the messages this coroutine handles. */
8622 ssh->packet_dispatch[SSH2_MSG_SERVICE_ACCEPT] = ssh2_msg_authconn;
8623 ssh->packet_dispatch[SSH2_MSG_USERAUTH_REQUEST] = ssh2_msg_authconn;
8624 ssh->packet_dispatch[SSH2_MSG_USERAUTH_FAILURE] = ssh2_msg_authconn;
8625 ssh->packet_dispatch[SSH2_MSG_USERAUTH_SUCCESS] = ssh2_msg_authconn;
8626 ssh->packet_dispatch[SSH2_MSG_USERAUTH_BANNER] = ssh2_msg_authconn;
8627 ssh->packet_dispatch[SSH2_MSG_USERAUTH_PK_OK] = ssh2_msg_authconn;
8628 /* ssh->packet_dispatch[SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ] = ssh2_msg_authconn; duplicate case value */
8629 /* ssh->packet_dispatch[SSH2_MSG_USERAUTH_INFO_REQUEST] = ssh2_msg_authconn; duplicate case value */
8630 ssh->packet_dispatch[SSH2_MSG_USERAUTH_INFO_RESPONSE] = ssh2_msg_authconn;
8631 ssh->packet_dispatch[SSH2_MSG_GLOBAL_REQUEST] = ssh2_msg_authconn;
8632 ssh->packet_dispatch[SSH2_MSG_REQUEST_SUCCESS] = ssh2_msg_authconn;
8633 ssh->packet_dispatch[SSH2_MSG_REQUEST_FAILURE] = ssh2_msg_authconn;
8634 ssh->packet_dispatch[SSH2_MSG_CHANNEL_OPEN] = ssh2_msg_authconn;
8635 ssh->packet_dispatch[SSH2_MSG_CHANNEL_OPEN_CONFIRMATION] = ssh2_msg_authconn;
8636 ssh->packet_dispatch[SSH2_MSG_CHANNEL_OPEN_FAILURE] = ssh2_msg_authconn;
8637 ssh->packet_dispatch[SSH2_MSG_CHANNEL_WINDOW_ADJUST] = ssh2_msg_authconn;
8638 ssh->packet_dispatch[SSH2_MSG_CHANNEL_DATA] = ssh2_msg_authconn;
8639 ssh->packet_dispatch[SSH2_MSG_CHANNEL_EXTENDED_DATA] = ssh2_msg_authconn;
8640 ssh->packet_dispatch[SSH2_MSG_CHANNEL_EOF] = ssh2_msg_authconn;
8641 ssh->packet_dispatch[SSH2_MSG_CHANNEL_CLOSE] = ssh2_msg_authconn;
8643 s->done_service_req = FALSE;
8644 s->we_are_in = s->userauth_success = FALSE;
8645 s->agent_response = NULL;
8647 s->tried_gssapi = FALSE;
8650 if (!ssh->bare_connection) {
8651 if (!conf_get_int(ssh->conf, CONF_ssh_no_userauth)) {
8653 * Request userauth protocol, and await a response to it.
8655 s->pktout = ssh2_pkt_init(SSH2_MSG_SERVICE_REQUEST);
8656 ssh2_pkt_addstring(s->pktout, "ssh-userauth");
8657 ssh2_pkt_send(ssh, s->pktout);
8658 crWaitUntilV(pktin);
8659 if (pktin->type == SSH2_MSG_SERVICE_ACCEPT)
8660 s->done_service_req = TRUE;
8662 if (!s->done_service_req) {
8664 * Request connection protocol directly, without authentication.
8666 s->pktout = ssh2_pkt_init(SSH2_MSG_SERVICE_REQUEST);
8667 ssh2_pkt_addstring(s->pktout, "ssh-connection");
8668 ssh2_pkt_send(ssh, s->pktout);
8669 crWaitUntilV(pktin);
8670 if (pktin->type == SSH2_MSG_SERVICE_ACCEPT) {
8671 s->we_are_in = TRUE; /* no auth required */
8673 bombout(("Server refused service request"));
8678 s->we_are_in = TRUE;
8681 /* Arrange to be able to deal with any BANNERs that come in.
8682 * (We do this now as packets may come in during the next bit.) */
8683 bufchain_init(&ssh->banner);
8684 ssh->packet_dispatch[SSH2_MSG_USERAUTH_BANNER] =
8685 ssh2_msg_userauth_banner;
8688 * Misc one-time setup for authentication.
8690 s->publickey_blob = NULL;
8691 if (!s->we_are_in) {
8694 * Load the public half of any configured public key file
8697 s->keyfile = conf_get_filename(ssh->conf, CONF_keyfile);
8698 if (!filename_is_null(s->keyfile)) {
8700 logeventf(ssh, "Reading private key file \"%.150s\"",
8701 filename_to_str(s->keyfile));
8702 keytype = key_type(s->keyfile);
8703 if (keytype == SSH_KEYTYPE_SSH2) {
8706 ssh2_userkey_loadpub(s->keyfile,
8707 &s->publickey_algorithm,
8708 &s->publickey_bloblen,
8709 &s->publickey_comment, &error);
8710 if (s->publickey_blob) {
8711 s->publickey_encrypted =
8712 ssh2_userkey_encrypted(s->keyfile, NULL);
8715 logeventf(ssh, "Unable to load private key (%s)",
8717 msgbuf = dupprintf("Unable to load private key file "
8718 "\"%.150s\" (%s)\r\n",
8719 filename_to_str(s->keyfile),
8721 c_write_str(ssh, msgbuf);
8726 logeventf(ssh, "Unable to use this key file (%s)",
8727 key_type_to_str(keytype));
8728 msgbuf = dupprintf("Unable to use key file \"%.150s\""
8730 filename_to_str(s->keyfile),
8731 key_type_to_str(keytype));
8732 c_write_str(ssh, msgbuf);
8734 s->publickey_blob = NULL;
8739 * Find out about any keys Pageant has (but if there's a
8740 * public key configured, filter out all others).
8743 s->agent_response = NULL;
8744 s->pkblob_in_agent = NULL;
8745 if (conf_get_int(ssh->conf, CONF_tryagent) && agent_exists()) {
8749 logevent("Pageant is running. Requesting keys.");
8751 /* Request the keys held by the agent. */
8752 PUT_32BIT(s->agent_request, 1);
8753 s->agent_request[4] = SSH2_AGENTC_REQUEST_IDENTITIES;
8754 if (!agent_query(s->agent_request, 5, &r, &s->agent_responselen,
8755 ssh_agent_callback, ssh)) {
8759 bombout(("Unexpected data from server while"
8760 " waiting for agent response"));
8763 } while (pktin || inlen > 0);
8764 r = ssh->agent_response;
8765 s->agent_responselen = ssh->agent_response_len;
8767 s->agent_response = (unsigned char *) r;
8768 if (s->agent_response && s->agent_responselen >= 5 &&
8769 s->agent_response[4] == SSH2_AGENT_IDENTITIES_ANSWER) {
8772 p = s->agent_response + 5;
8773 s->nkeys = toint(GET_32BIT(p));
8776 * Vet the Pageant response to ensure that the key
8777 * count and blob lengths make sense.
8780 logeventf(ssh, "Pageant response contained a negative"
8781 " key count %d", s->nkeys);
8783 goto done_agent_query;
8785 unsigned char *q = p + 4;
8786 int lenleft = s->agent_responselen - 5 - 4;
8788 for (keyi = 0; keyi < s->nkeys; keyi++) {
8789 int bloblen, commentlen;
8791 logeventf(ssh, "Pageant response was truncated");
8793 goto done_agent_query;
8795 bloblen = toint(GET_32BIT(q));
8796 if (bloblen < 0 || bloblen > lenleft) {
8797 logeventf(ssh, "Pageant response was truncated");
8799 goto done_agent_query;
8801 lenleft -= 4 + bloblen;
8803 commentlen = toint(GET_32BIT(q));
8804 if (commentlen < 0 || commentlen > lenleft) {
8805 logeventf(ssh, "Pageant response was truncated");
8807 goto done_agent_query;
8809 lenleft -= 4 + commentlen;
8810 q += 4 + commentlen;
8815 logeventf(ssh, "Pageant has %d SSH-2 keys", s->nkeys);
8816 if (s->publickey_blob) {
8817 /* See if configured key is in agent. */
8818 for (keyi = 0; keyi < s->nkeys; keyi++) {
8819 s->pklen = toint(GET_32BIT(p));
8820 if (s->pklen == s->publickey_bloblen &&
8821 !memcmp(p+4, s->publickey_blob,
8822 s->publickey_bloblen)) {
8823 logeventf(ssh, "Pageant key #%d matches "
8824 "configured key file", keyi);
8826 s->pkblob_in_agent = p;
8830 p += toint(GET_32BIT(p)) + 4; /* comment */
8832 if (!s->pkblob_in_agent) {
8833 logevent("Configured key file not in Pageant");
8838 logevent("Failed to get reply from Pageant");
8846 * We repeat this whole loop, including the username prompt,
8847 * until we manage a successful authentication. If the user
8848 * types the wrong _password_, they can be sent back to the
8849 * beginning to try another username, if this is configured on.
8850 * (If they specify a username in the config, they are never
8851 * asked, even if they do give a wrong password.)
8853 * I think this best serves the needs of
8855 * - the people who have no configuration, no keys, and just
8856 * want to try repeated (username,password) pairs until they
8857 * type both correctly
8859 * - people who have keys and configuration but occasionally
8860 * need to fall back to passwords
8862 * - people with a key held in Pageant, who might not have
8863 * logged in to a particular machine before; so they want to
8864 * type a username, and then _either_ their key will be
8865 * accepted, _or_ they will type a password. If they mistype
8866 * the username they will want to be able to get back and
8869 s->got_username = FALSE;
8870 while (!s->we_are_in) {
8874 if (s->got_username && !conf_get_int(ssh->conf, CONF_change_username)) {
8876 * We got a username last time round this loop, and
8877 * with change_username turned off we don't try to get
8880 } else if ((ssh->username = get_remote_username(ssh->conf)) == NULL) {
8881 int ret; /* need not be kept over crReturn */
8882 s->cur_prompt = new_prompts(ssh->frontend);
8883 s->cur_prompt->to_server = TRUE;
8884 s->cur_prompt->name = dupstr("SSH login name");
8885 add_prompt(s->cur_prompt, dupstr("login as: "), TRUE);
8886 ret = get_userpass_input(s->cur_prompt, NULL, 0);
8889 crWaitUntilV(!pktin);
8890 ret = get_userpass_input(s->cur_prompt, in, inlen);
8895 * get_userpass_input() failed to get a username.
8898 free_prompts(s->cur_prompt);
8899 ssh_disconnect(ssh, "No username provided", NULL, 0, TRUE);
8902 ssh->username = dupstr(s->cur_prompt->prompts[0]->result);
8903 free_prompts(s->cur_prompt);
8906 if ((flags & FLAG_VERBOSE) || (flags & FLAG_INTERACTIVE)) {
8907 stuff = dupprintf("Using username \"%s\".\r\n", ssh->username);
8908 c_write_str(ssh, stuff);
8912 s->got_username = TRUE;
8915 * Send an authentication request using method "none": (a)
8916 * just in case it succeeds, and (b) so that we know what
8917 * authentication methods we can usefully try next.
8919 ssh->pkt_actx = SSH2_PKTCTX_NOAUTH;
8921 s->pktout = ssh2_pkt_init(SSH2_MSG_USERAUTH_REQUEST);
8922 ssh2_pkt_addstring(s->pktout, ssh->username);
8923 ssh2_pkt_addstring(s->pktout, "ssh-connection");/* service requested */
8924 ssh2_pkt_addstring(s->pktout, "none"); /* method */
8925 ssh2_pkt_send(ssh, s->pktout);
8926 s->type = AUTH_TYPE_NONE;
8928 s->we_are_in = FALSE;
8930 s->tried_pubkey_config = FALSE;
8931 s->kbd_inter_refused = FALSE;
8933 /* Reset agent request state. */
8934 s->done_agent = FALSE;
8935 if (s->agent_response) {
8936 if (s->pkblob_in_agent) {
8937 s->agentp = s->pkblob_in_agent;
8939 s->agentp = s->agent_response + 5 + 4;
8945 char *methods = NULL;
8949 * Wait for the result of the last authentication request.
8952 crWaitUntilV(pktin);
8954 * Now is a convenient point to spew any banner material
8955 * that we've accumulated. (This should ensure that when
8956 * we exit the auth loop, we haven't any left to deal
8960 int size = bufchain_size(&ssh->banner);
8962 * Don't show the banner if we're operating in
8963 * non-verbose non-interactive mode. (It's probably
8964 * a script, which means nobody will read the
8965 * banner _anyway_, and moreover the printing of
8966 * the banner will screw up processing on the
8967 * output of (say) plink.)
8969 if (size && (flags & (FLAG_VERBOSE | FLAG_INTERACTIVE))) {
8970 char *banner = snewn(size, char);
8971 bufchain_fetch(&ssh->banner, banner, size);
8972 c_write_untrusted(ssh, banner, size);
8975 bufchain_clear(&ssh->banner);
8977 if (pktin->type == SSH2_MSG_USERAUTH_SUCCESS) {
8978 logevent("Access granted");
8979 s->we_are_in = s->userauth_success = TRUE;
8983 if (pktin->type != SSH2_MSG_USERAUTH_FAILURE && s->type != AUTH_TYPE_GSSAPI) {
8984 bombout(("Strange packet received during authentication: "
8985 "type %d", pktin->type));
8992 * OK, we're now sitting on a USERAUTH_FAILURE message, so
8993 * we can look at the string in it and know what we can
8994 * helpfully try next.
8996 if (pktin->type == SSH2_MSG_USERAUTH_FAILURE) {
8997 ssh_pkt_getstring(pktin, &methods, &methlen);
8998 if (!ssh2_pkt_getbool(pktin)) {
9000 * We have received an unequivocal Access
9001 * Denied. This can translate to a variety of
9002 * messages, or no message at all.
9004 * For forms of authentication which are attempted
9005 * implicitly, by which I mean without printing
9006 * anything in the window indicating that we're
9007 * trying them, we should never print 'Access
9010 * If we do print a message saying that we're
9011 * attempting some kind of authentication, it's OK
9012 * to print a followup message saying it failed -
9013 * but the message may sometimes be more specific
9014 * than simply 'Access denied'.
9016 * Additionally, if we'd just tried password
9017 * authentication, we should break out of this
9018 * whole loop so as to go back to the username
9019 * prompt (iff we're configured to allow
9020 * username change attempts).
9022 if (s->type == AUTH_TYPE_NONE) {
9024 } else if (s->type == AUTH_TYPE_PUBLICKEY_OFFER_LOUD ||
9025 s->type == AUTH_TYPE_PUBLICKEY_OFFER_QUIET) {
9026 if (s->type == AUTH_TYPE_PUBLICKEY_OFFER_LOUD)
9027 c_write_str(ssh, "Server refused our key\r\n");
9028 logevent("Server refused our key");
9029 } else if (s->type == AUTH_TYPE_PUBLICKEY) {
9030 /* This _shouldn't_ happen except by a
9031 * protocol bug causing client and server to
9032 * disagree on what is a correct signature. */
9033 c_write_str(ssh, "Server refused public-key signature"
9034 " despite accepting key!\r\n");
9035 logevent("Server refused public-key signature"
9036 " despite accepting key!");
9037 } else if (s->type==AUTH_TYPE_KEYBOARD_INTERACTIVE_QUIET) {
9038 /* quiet, so no c_write */
9039 logevent("Server refused keyboard-interactive authentication");
9040 } else if (s->type==AUTH_TYPE_GSSAPI) {
9041 /* always quiet, so no c_write */
9042 /* also, the code down in the GSSAPI block has
9043 * already logged this in the Event Log */
9044 } else if (s->type == AUTH_TYPE_KEYBOARD_INTERACTIVE) {
9045 logevent("Keyboard-interactive authentication failed");
9046 c_write_str(ssh, "Access denied\r\n");
9048 assert(s->type == AUTH_TYPE_PASSWORD);
9049 logevent("Password authentication failed");
9050 c_write_str(ssh, "Access denied\r\n");
9052 if (conf_get_int(ssh->conf, CONF_change_username)) {
9053 /* XXX perhaps we should allow
9054 * keyboard-interactive to do this too? */
9055 s->we_are_in = FALSE;
9060 c_write_str(ssh, "Further authentication required\r\n");
9061 logevent("Further authentication required");
9065 in_commasep_string("publickey", methods, methlen);
9067 in_commasep_string("password", methods, methlen);
9068 s->can_keyb_inter = conf_get_int(ssh->conf, CONF_try_ki_auth) &&
9069 in_commasep_string("keyboard-interactive", methods, methlen);
9072 ssh->gsslibs = ssh_gss_setup(ssh->conf);
9073 s->can_gssapi = conf_get_int(ssh->conf, CONF_try_gssapi_auth) &&
9074 in_commasep_string("gssapi-with-mic", methods, methlen) &&
9075 ssh->gsslibs->nlibraries > 0;
9079 ssh->pkt_actx = SSH2_PKTCTX_NOAUTH;
9081 if (s->can_pubkey && !s->done_agent && s->nkeys) {
9084 * Attempt public-key authentication using a key from Pageant.
9087 ssh->pkt_actx = SSH2_PKTCTX_PUBLICKEY;
9089 logeventf(ssh, "Trying Pageant key #%d", s->keyi);
9091 /* Unpack key from agent response */
9092 s->pklen = toint(GET_32BIT(s->agentp));
9094 s->pkblob = (char *)s->agentp;
9095 s->agentp += s->pklen;
9096 s->alglen = toint(GET_32BIT(s->pkblob));
9097 s->alg = s->pkblob + 4;
9098 s->commentlen = toint(GET_32BIT(s->agentp));
9100 s->commentp = (char *)s->agentp;
9101 s->agentp += s->commentlen;
9102 /* s->agentp now points at next key, if any */
9104 /* See if server will accept it */
9105 s->pktout = ssh2_pkt_init(SSH2_MSG_USERAUTH_REQUEST);
9106 ssh2_pkt_addstring(s->pktout, ssh->username);
9107 ssh2_pkt_addstring(s->pktout, "ssh-connection");
9108 /* service requested */
9109 ssh2_pkt_addstring(s->pktout, "publickey");
9111 ssh2_pkt_addbool(s->pktout, FALSE); /* no signature included */
9112 ssh2_pkt_addstring_start(s->pktout);
9113 ssh2_pkt_addstring_data(s->pktout, s->alg, s->alglen);
9114 ssh2_pkt_addstring_start(s->pktout);
9115 ssh2_pkt_addstring_data(s->pktout, s->pkblob, s->pklen);
9116 ssh2_pkt_send(ssh, s->pktout);
9117 s->type = AUTH_TYPE_PUBLICKEY_OFFER_QUIET;
9119 crWaitUntilV(pktin);
9120 if (pktin->type != SSH2_MSG_USERAUTH_PK_OK) {
9122 /* Offer of key refused. */
9129 if (flags & FLAG_VERBOSE) {
9130 c_write_str(ssh, "Authenticating with "
9132 c_write(ssh, s->commentp, s->commentlen);
9133 c_write_str(ssh, "\" from agent\r\n");
9137 * Server is willing to accept the key.
9138 * Construct a SIGN_REQUEST.
9140 s->pktout = ssh2_pkt_init(SSH2_MSG_USERAUTH_REQUEST);
9141 ssh2_pkt_addstring(s->pktout, ssh->username);
9142 ssh2_pkt_addstring(s->pktout, "ssh-connection");
9143 /* service requested */
9144 ssh2_pkt_addstring(s->pktout, "publickey");
9146 ssh2_pkt_addbool(s->pktout, TRUE); /* signature included */
9147 ssh2_pkt_addstring_start(s->pktout);
9148 ssh2_pkt_addstring_data(s->pktout, s->alg, s->alglen);
9149 ssh2_pkt_addstring_start(s->pktout);
9150 ssh2_pkt_addstring_data(s->pktout, s->pkblob, s->pklen);
9152 /* Ask agent for signature. */
9153 s->siglen = s->pktout->length - 5 + 4 +
9154 ssh->v2_session_id_len;
9155 if (ssh->remote_bugs & BUG_SSH2_PK_SESSIONID)
9157 s->len = 1; /* message type */
9158 s->len += 4 + s->pklen; /* key blob */
9159 s->len += 4 + s->siglen; /* data to sign */
9160 s->len += 4; /* flags */
9161 s->agentreq = snewn(4 + s->len, char);
9162 PUT_32BIT(s->agentreq, s->len);
9163 s->q = s->agentreq + 4;
9164 *s->q++ = SSH2_AGENTC_SIGN_REQUEST;
9165 PUT_32BIT(s->q, s->pklen);
9167 memcpy(s->q, s->pkblob, s->pklen);
9169 PUT_32BIT(s->q, s->siglen);
9171 /* Now the data to be signed... */
9172 if (!(ssh->remote_bugs & BUG_SSH2_PK_SESSIONID)) {
9173 PUT_32BIT(s->q, ssh->v2_session_id_len);
9176 memcpy(s->q, ssh->v2_session_id,
9177 ssh->v2_session_id_len);
9178 s->q += ssh->v2_session_id_len;
9179 memcpy(s->q, s->pktout->data + 5,
9180 s->pktout->length - 5);
9181 s->q += s->pktout->length - 5;
9182 /* And finally the (zero) flags word. */
9184 if (!agent_query(s->agentreq, s->len + 4,
9186 ssh_agent_callback, ssh)) {
9190 bombout(("Unexpected data from server"
9191 " while waiting for agent"
9195 } while (pktin || inlen > 0);
9196 vret = ssh->agent_response;
9197 s->retlen = ssh->agent_response_len;
9202 if (s->retlen >= 9 &&
9203 s->ret[4] == SSH2_AGENT_SIGN_RESPONSE &&
9204 GET_32BIT(s->ret + 5) <= (unsigned)(s->retlen-9)) {
9205 logevent("Sending Pageant's response");
9206 ssh2_add_sigblob(ssh, s->pktout,
9207 s->pkblob, s->pklen,
9209 GET_32BIT(s->ret + 5));
9210 ssh2_pkt_send(ssh, s->pktout);
9211 s->type = AUTH_TYPE_PUBLICKEY;
9213 /* FIXME: less drastic response */
9214 bombout(("Pageant failed to answer challenge"));
9220 /* Do we have any keys left to try? */
9221 if (s->pkblob_in_agent) {
9222 s->done_agent = TRUE;
9223 s->tried_pubkey_config = TRUE;
9226 if (s->keyi >= s->nkeys)
9227 s->done_agent = TRUE;
9230 } else if (s->can_pubkey && s->publickey_blob &&
9231 !s->tried_pubkey_config) {
9233 struct ssh2_userkey *key; /* not live over crReturn */
9234 char *passphrase; /* not live over crReturn */
9236 ssh->pkt_actx = SSH2_PKTCTX_PUBLICKEY;
9238 s->tried_pubkey_config = TRUE;
9241 * Try the public key supplied in the configuration.
9243 * First, offer the public blob to see if the server is
9244 * willing to accept it.
9246 s->pktout = ssh2_pkt_init(SSH2_MSG_USERAUTH_REQUEST);
9247 ssh2_pkt_addstring(s->pktout, ssh->username);
9248 ssh2_pkt_addstring(s->pktout, "ssh-connection");
9249 /* service requested */
9250 ssh2_pkt_addstring(s->pktout, "publickey"); /* method */
9251 ssh2_pkt_addbool(s->pktout, FALSE);
9252 /* no signature included */
9253 ssh2_pkt_addstring(s->pktout, s->publickey_algorithm);
9254 ssh2_pkt_addstring_start(s->pktout);
9255 ssh2_pkt_addstring_data(s->pktout,
9256 (char *)s->publickey_blob,
9257 s->publickey_bloblen);
9258 ssh2_pkt_send(ssh, s->pktout);
9259 logevent("Offered public key");
9261 crWaitUntilV(pktin);
9262 if (pktin->type != SSH2_MSG_USERAUTH_PK_OK) {
9263 /* Key refused. Give up. */
9264 s->gotit = TRUE; /* reconsider message next loop */
9265 s->type = AUTH_TYPE_PUBLICKEY_OFFER_LOUD;
9266 continue; /* process this new message */
9268 logevent("Offer of public key accepted");
9271 * Actually attempt a serious authentication using
9274 if (flags & FLAG_VERBOSE) {
9275 c_write_str(ssh, "Authenticating with public key \"");
9276 c_write_str(ssh, s->publickey_comment);
9277 c_write_str(ssh, "\"\r\n");
9281 const char *error; /* not live over crReturn */
9282 if (s->publickey_encrypted) {
9284 * Get a passphrase from the user.
9286 int ret; /* need not be kept over crReturn */
9287 s->cur_prompt = new_prompts(ssh->frontend);
9288 s->cur_prompt->to_server = FALSE;
9289 s->cur_prompt->name = dupstr("SSH key passphrase");
9290 add_prompt(s->cur_prompt,
9291 dupprintf("Passphrase for key \"%.100s\": ",
9292 s->publickey_comment),
9294 ret = get_userpass_input(s->cur_prompt, NULL, 0);
9297 crWaitUntilV(!pktin);
9298 ret = get_userpass_input(s->cur_prompt,
9303 /* Failed to get a passphrase. Terminate. */
9304 free_prompts(s->cur_prompt);
9305 ssh_disconnect(ssh, NULL,
9306 "Unable to authenticate",
9307 SSH2_DISCONNECT_AUTH_CANCELLED_BY_USER,
9312 dupstr(s->cur_prompt->prompts[0]->result);
9313 free_prompts(s->cur_prompt);
9315 passphrase = NULL; /* no passphrase needed */
9319 * Try decrypting the key.
9321 s->keyfile = conf_get_filename(ssh->conf, CONF_keyfile);
9322 key = ssh2_load_userkey(s->keyfile, passphrase, &error);
9324 /* burn the evidence */
9325 smemclr(passphrase, strlen(passphrase));
9328 if (key == SSH2_WRONG_PASSPHRASE || key == NULL) {
9330 (key == SSH2_WRONG_PASSPHRASE)) {
9331 c_write_str(ssh, "Wrong passphrase\r\n");
9333 /* and loop again */
9335 c_write_str(ssh, "Unable to load private key (");
9336 c_write_str(ssh, error);
9337 c_write_str(ssh, ")\r\n");
9339 break; /* try something else */
9345 unsigned char *pkblob, *sigblob, *sigdata;
9346 int pkblob_len, sigblob_len, sigdata_len;
9350 * We have loaded the private key and the server
9351 * has announced that it's willing to accept it.
9352 * Hallelujah. Generate a signature and send it.
9354 s->pktout = ssh2_pkt_init(SSH2_MSG_USERAUTH_REQUEST);
9355 ssh2_pkt_addstring(s->pktout, ssh->username);
9356 ssh2_pkt_addstring(s->pktout, "ssh-connection");
9357 /* service requested */
9358 ssh2_pkt_addstring(s->pktout, "publickey");
9360 ssh2_pkt_addbool(s->pktout, TRUE);
9361 /* signature follows */
9362 ssh2_pkt_addstring(s->pktout, key->alg->name);
9363 pkblob = key->alg->public_blob(key->data,
9365 ssh2_pkt_addstring_start(s->pktout);
9366 ssh2_pkt_addstring_data(s->pktout, (char *)pkblob,
9370 * The data to be signed is:
9374 * followed by everything so far placed in the
9377 sigdata_len = s->pktout->length - 5 + 4 +
9378 ssh->v2_session_id_len;
9379 if (ssh->remote_bugs & BUG_SSH2_PK_SESSIONID)
9381 sigdata = snewn(sigdata_len, unsigned char);
9383 if (!(ssh->remote_bugs & BUG_SSH2_PK_SESSIONID)) {
9384 PUT_32BIT(sigdata+p, ssh->v2_session_id_len);
9387 memcpy(sigdata+p, ssh->v2_session_id,
9388 ssh->v2_session_id_len);
9389 p += ssh->v2_session_id_len;
9390 memcpy(sigdata+p, s->pktout->data + 5,
9391 s->pktout->length - 5);
9392 p += s->pktout->length - 5;
9393 assert(p == sigdata_len);
9394 sigblob = key->alg->sign(key->data, (char *)sigdata,
9395 sigdata_len, &sigblob_len);
9396 ssh2_add_sigblob(ssh, s->pktout, pkblob, pkblob_len,
9397 sigblob, sigblob_len);
9402 ssh2_pkt_send(ssh, s->pktout);
9403 logevent("Sent public key signature");
9404 s->type = AUTH_TYPE_PUBLICKEY;
9405 key->alg->freekey(key->data);
9409 } else if (s->can_gssapi && !s->tried_gssapi) {
9411 /* GSSAPI Authentication */
9416 s->type = AUTH_TYPE_GSSAPI;
9417 s->tried_gssapi = TRUE;
9419 ssh->pkt_actx = SSH2_PKTCTX_GSSAPI;
9422 * Pick the highest GSS library on the preference
9428 for (i = 0; i < ngsslibs; i++) {
9429 int want_id = conf_get_int_int(ssh->conf,
9430 CONF_ssh_gsslist, i);
9431 for (j = 0; j < ssh->gsslibs->nlibraries; j++)
9432 if (ssh->gsslibs->libraries[j].id == want_id) {
9433 s->gsslib = &ssh->gsslibs->libraries[j];
9434 goto got_gsslib; /* double break */
9439 * We always expect to have found something in
9440 * the above loop: we only came here if there
9441 * was at least one viable GSS library, and the
9442 * preference list should always mention
9443 * everything and only change the order.
9448 if (s->gsslib->gsslogmsg)
9449 logevent(s->gsslib->gsslogmsg);
9451 /* Sending USERAUTH_REQUEST with "gssapi-with-mic" method */
9452 s->pktout = ssh2_pkt_init(SSH2_MSG_USERAUTH_REQUEST);
9453 ssh2_pkt_addstring(s->pktout, ssh->username);
9454 ssh2_pkt_addstring(s->pktout, "ssh-connection");
9455 ssh2_pkt_addstring(s->pktout, "gssapi-with-mic");
9456 logevent("Attempting GSSAPI authentication");
9458 /* add mechanism info */
9459 s->gsslib->indicate_mech(s->gsslib, &s->gss_buf);
9461 /* number of GSSAPI mechanisms */
9462 ssh2_pkt_adduint32(s->pktout,1);
9464 /* length of OID + 2 */
9465 ssh2_pkt_adduint32(s->pktout, s->gss_buf.length + 2);
9466 ssh2_pkt_addbyte(s->pktout, SSH2_GSS_OIDTYPE);
9469 ssh2_pkt_addbyte(s->pktout, (unsigned char) s->gss_buf.length);
9471 ssh_pkt_adddata(s->pktout, s->gss_buf.value,
9473 ssh2_pkt_send(ssh, s->pktout);
9474 crWaitUntilV(pktin);
9475 if (pktin->type != SSH2_MSG_USERAUTH_GSSAPI_RESPONSE) {
9476 logevent("GSSAPI authentication request refused");
9480 /* check returned packet ... */
9482 ssh_pkt_getstring(pktin, &data, &len);
9483 s->gss_rcvtok.value = data;
9484 s->gss_rcvtok.length = len;
9485 if (s->gss_rcvtok.length != s->gss_buf.length + 2 ||
9486 ((char *)s->gss_rcvtok.value)[0] != SSH2_GSS_OIDTYPE ||
9487 ((char *)s->gss_rcvtok.value)[1] != s->gss_buf.length ||
9488 memcmp((char *)s->gss_rcvtok.value + 2,
9489 s->gss_buf.value,s->gss_buf.length) ) {
9490 logevent("GSSAPI authentication - wrong response from server");
9494 /* now start running */
9495 s->gss_stat = s->gsslib->import_name(s->gsslib,
9498 if (s->gss_stat != SSH_GSS_OK) {
9499 if (s->gss_stat == SSH_GSS_BAD_HOST_NAME)
9500 logevent("GSSAPI import name failed - Bad service name");
9502 logevent("GSSAPI import name failed");
9506 /* fetch TGT into GSS engine */
9507 s->gss_stat = s->gsslib->acquire_cred(s->gsslib, &s->gss_ctx);
9509 if (s->gss_stat != SSH_GSS_OK) {
9510 logevent("GSSAPI authentication failed to get credentials");
9511 s->gsslib->release_name(s->gsslib, &s->gss_srv_name);
9515 /* initial tokens are empty */
9516 SSH_GSS_CLEAR_BUF(&s->gss_rcvtok);
9517 SSH_GSS_CLEAR_BUF(&s->gss_sndtok);
9519 /* now enter the loop */
9521 s->gss_stat = s->gsslib->init_sec_context
9525 conf_get_int(ssh->conf, CONF_gssapifwd),
9529 if (s->gss_stat!=SSH_GSS_S_COMPLETE &&
9530 s->gss_stat!=SSH_GSS_S_CONTINUE_NEEDED) {
9531 logevent("GSSAPI authentication initialisation failed");
9533 if (s->gsslib->display_status(s->gsslib, s->gss_ctx,
9534 &s->gss_buf) == SSH_GSS_OK) {
9535 logevent(s->gss_buf.value);
9536 sfree(s->gss_buf.value);
9541 logevent("GSSAPI authentication initialised");
9543 /* Client and server now exchange tokens until GSSAPI
9544 * no longer says CONTINUE_NEEDED */
9546 if (s->gss_sndtok.length != 0) {
9547 s->pktout = ssh2_pkt_init(SSH2_MSG_USERAUTH_GSSAPI_TOKEN);
9548 ssh_pkt_addstring_start(s->pktout);
9549 ssh_pkt_addstring_data(s->pktout,s->gss_sndtok.value,s->gss_sndtok.length);
9550 ssh2_pkt_send(ssh, s->pktout);
9551 s->gsslib->free_tok(s->gsslib, &s->gss_sndtok);
9554 if (s->gss_stat == SSH_GSS_S_CONTINUE_NEEDED) {
9555 crWaitUntilV(pktin);
9556 if (pktin->type != SSH2_MSG_USERAUTH_GSSAPI_TOKEN) {
9557 logevent("GSSAPI authentication - bad server response");
9558 s->gss_stat = SSH_GSS_FAILURE;
9561 ssh_pkt_getstring(pktin, &data, &len);
9562 s->gss_rcvtok.value = data;
9563 s->gss_rcvtok.length = len;
9565 } while (s-> gss_stat == SSH_GSS_S_CONTINUE_NEEDED);
9567 if (s->gss_stat != SSH_GSS_OK) {
9568 s->gsslib->release_name(s->gsslib, &s->gss_srv_name);
9569 s->gsslib->release_cred(s->gsslib, &s->gss_ctx);
9572 logevent("GSSAPI authentication loop finished OK");
9574 /* Now send the MIC */
9576 s->pktout = ssh2_pkt_init(0);
9577 micoffset = s->pktout->length;
9578 ssh_pkt_addstring_start(s->pktout);
9579 ssh_pkt_addstring_data(s->pktout, (char *)ssh->v2_session_id, ssh->v2_session_id_len);
9580 ssh_pkt_addbyte(s->pktout, SSH2_MSG_USERAUTH_REQUEST);
9581 ssh_pkt_addstring(s->pktout, ssh->username);
9582 ssh_pkt_addstring(s->pktout, "ssh-connection");
9583 ssh_pkt_addstring(s->pktout, "gssapi-with-mic");
9585 s->gss_buf.value = (char *)s->pktout->data + micoffset;
9586 s->gss_buf.length = s->pktout->length - micoffset;
9588 s->gsslib->get_mic(s->gsslib, s->gss_ctx, &s->gss_buf, &mic);
9589 s->pktout = ssh2_pkt_init(SSH2_MSG_USERAUTH_GSSAPI_MIC);
9590 ssh_pkt_addstring_start(s->pktout);
9591 ssh_pkt_addstring_data(s->pktout, mic.value, mic.length);
9592 ssh2_pkt_send(ssh, s->pktout);
9593 s->gsslib->free_mic(s->gsslib, &mic);
9597 s->gsslib->release_name(s->gsslib, &s->gss_srv_name);
9598 s->gsslib->release_cred(s->gsslib, &s->gss_ctx);
9601 } else if (s->can_keyb_inter && !s->kbd_inter_refused) {
9604 * Keyboard-interactive authentication.
9607 s->type = AUTH_TYPE_KEYBOARD_INTERACTIVE;
9609 ssh->pkt_actx = SSH2_PKTCTX_KBDINTER;
9611 s->pktout = ssh2_pkt_init(SSH2_MSG_USERAUTH_REQUEST);
9612 ssh2_pkt_addstring(s->pktout, ssh->username);
9613 ssh2_pkt_addstring(s->pktout, "ssh-connection");
9614 /* service requested */
9615 ssh2_pkt_addstring(s->pktout, "keyboard-interactive");
9617 ssh2_pkt_addstring(s->pktout, ""); /* lang */
9618 ssh2_pkt_addstring(s->pktout, ""); /* submethods */
9619 ssh2_pkt_send(ssh, s->pktout);
9621 logevent("Attempting keyboard-interactive authentication");
9623 crWaitUntilV(pktin);
9624 if (pktin->type != SSH2_MSG_USERAUTH_INFO_REQUEST) {
9625 /* Server is not willing to do keyboard-interactive
9626 * at all (or, bizarrely but legally, accepts the
9627 * user without actually issuing any prompts).
9628 * Give up on it entirely. */
9630 s->type = AUTH_TYPE_KEYBOARD_INTERACTIVE_QUIET;
9631 s->kbd_inter_refused = TRUE; /* don't try it again */
9636 * Loop while the server continues to send INFO_REQUESTs.
9638 while (pktin->type == SSH2_MSG_USERAUTH_INFO_REQUEST) {
9640 char *name, *inst, *lang;
9641 int name_len, inst_len, lang_len;
9645 * We've got a fresh USERAUTH_INFO_REQUEST.
9646 * Get the preamble and start building a prompt.
9648 ssh_pkt_getstring(pktin, &name, &name_len);
9649 ssh_pkt_getstring(pktin, &inst, &inst_len);
9650 ssh_pkt_getstring(pktin, &lang, &lang_len);
9651 s->cur_prompt = new_prompts(ssh->frontend);
9652 s->cur_prompt->to_server = TRUE;
9655 * Get any prompt(s) from the packet.
9657 s->num_prompts = ssh_pkt_getuint32(pktin);
9658 for (i = 0; i < s->num_prompts; i++) {
9662 static char noprompt[] =
9663 "<server failed to send prompt>: ";
9665 ssh_pkt_getstring(pktin, &prompt, &prompt_len);
9666 echo = ssh2_pkt_getbool(pktin);
9669 prompt_len = lenof(noprompt)-1;
9671 add_prompt(s->cur_prompt,
9672 dupprintf("%.*s", prompt_len, prompt),
9677 /* FIXME: better prefix to distinguish from
9679 s->cur_prompt->name =
9680 dupprintf("SSH server: %.*s", name_len, name);
9681 s->cur_prompt->name_reqd = TRUE;
9683 s->cur_prompt->name =
9684 dupstr("SSH server authentication");
9685 s->cur_prompt->name_reqd = FALSE;
9687 /* We add a prefix to try to make it clear that a prompt
9688 * has come from the server.
9689 * FIXME: ugly to print "Using..." in prompt _every_
9690 * time round. Can this be done more subtly? */
9691 /* Special case: for reasons best known to themselves,
9692 * some servers send k-i requests with no prompts and
9693 * nothing to display. Keep quiet in this case. */
9694 if (s->num_prompts || name_len || inst_len) {
9695 s->cur_prompt->instruction =
9696 dupprintf("Using keyboard-interactive authentication.%s%.*s",
9697 inst_len ? "\n" : "", inst_len, inst);
9698 s->cur_prompt->instr_reqd = TRUE;
9700 s->cur_prompt->instr_reqd = FALSE;
9704 * Display any instructions, and get the user's
9708 int ret; /* not live over crReturn */
9709 ret = get_userpass_input(s->cur_prompt, NULL, 0);
9712 crWaitUntilV(!pktin);
9713 ret = get_userpass_input(s->cur_prompt, in, inlen);
9718 * Failed to get responses. Terminate.
9720 free_prompts(s->cur_prompt);
9721 ssh_disconnect(ssh, NULL, "Unable to authenticate",
9722 SSH2_DISCONNECT_AUTH_CANCELLED_BY_USER,
9729 * Send the response(s) to the server.
9731 s->pktout = ssh2_pkt_init(SSH2_MSG_USERAUTH_INFO_RESPONSE);
9732 ssh2_pkt_adduint32(s->pktout, s->num_prompts);
9733 for (i=0; i < s->num_prompts; i++) {
9734 ssh2_pkt_addstring(s->pktout,
9735 s->cur_prompt->prompts[i]->result);
9737 ssh2_pkt_send_with_padding(ssh, s->pktout, 256);
9740 * Free the prompts structure from this iteration.
9741 * If there's another, a new one will be allocated
9742 * when we return to the top of this while loop.
9744 free_prompts(s->cur_prompt);
9747 * Get the next packet in case it's another
9750 crWaitUntilV(pktin);
9755 * We should have SUCCESS or FAILURE now.
9759 } else if (s->can_passwd) {
9762 * Plain old password authentication.
9764 int ret; /* not live over crReturn */
9765 int changereq_first_time; /* not live over crReturn */
9767 ssh->pkt_actx = SSH2_PKTCTX_PASSWORD;
9769 s->cur_prompt = new_prompts(ssh->frontend);
9770 s->cur_prompt->to_server = TRUE;
9771 s->cur_prompt->name = dupstr("SSH password");
9772 add_prompt(s->cur_prompt, dupprintf("%s@%s's password: ",
9777 ret = get_userpass_input(s->cur_prompt, NULL, 0);
9780 crWaitUntilV(!pktin);
9781 ret = get_userpass_input(s->cur_prompt, in, inlen);
9786 * Failed to get responses. Terminate.
9788 free_prompts(s->cur_prompt);
9789 ssh_disconnect(ssh, NULL, "Unable to authenticate",
9790 SSH2_DISCONNECT_AUTH_CANCELLED_BY_USER,
9795 * Squirrel away the password. (We may need it later if
9796 * asked to change it.)
9798 s->password = dupstr(s->cur_prompt->prompts[0]->result);
9799 free_prompts(s->cur_prompt);
9802 * Send the password packet.
9804 * We pad out the password packet to 256 bytes to make
9805 * it harder for an attacker to find the length of the
9808 * Anyone using a password longer than 256 bytes
9809 * probably doesn't have much to worry about from
9810 * people who find out how long their password is!
9812 s->pktout = ssh2_pkt_init(SSH2_MSG_USERAUTH_REQUEST);
9813 ssh2_pkt_addstring(s->pktout, ssh->username);
9814 ssh2_pkt_addstring(s->pktout, "ssh-connection");
9815 /* service requested */
9816 ssh2_pkt_addstring(s->pktout, "password");
9817 ssh2_pkt_addbool(s->pktout, FALSE);
9818 ssh2_pkt_addstring(s->pktout, s->password);
9819 ssh2_pkt_send_with_padding(ssh, s->pktout, 256);
9820 logevent("Sent password");
9821 s->type = AUTH_TYPE_PASSWORD;
9824 * Wait for next packet, in case it's a password change
9827 crWaitUntilV(pktin);
9828 changereq_first_time = TRUE;
9830 while (pktin->type == SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ) {
9833 * We're being asked for a new password
9834 * (perhaps not for the first time).
9835 * Loop until the server accepts it.
9838 int got_new = FALSE; /* not live over crReturn */
9839 char *prompt; /* not live over crReturn */
9840 int prompt_len; /* not live over crReturn */
9844 if (changereq_first_time)
9845 msg = "Server requested password change";
9847 msg = "Server rejected new password";
9849 c_write_str(ssh, msg);
9850 c_write_str(ssh, "\r\n");
9853 ssh_pkt_getstring(pktin, &prompt, &prompt_len);
9855 s->cur_prompt = new_prompts(ssh->frontend);
9856 s->cur_prompt->to_server = TRUE;
9857 s->cur_prompt->name = dupstr("New SSH password");
9858 s->cur_prompt->instruction =
9859 dupprintf("%.*s", prompt_len, prompt);
9860 s->cur_prompt->instr_reqd = TRUE;
9862 * There's no explicit requirement in the protocol
9863 * for the "old" passwords in the original and
9864 * password-change messages to be the same, and
9865 * apparently some Cisco kit supports password change
9866 * by the user entering a blank password originally
9867 * and the real password subsequently, so,
9868 * reluctantly, we prompt for the old password again.
9870 * (On the other hand, some servers don't even bother
9871 * to check this field.)
9873 add_prompt(s->cur_prompt,
9874 dupstr("Current password (blank for previously entered password): "),
9876 add_prompt(s->cur_prompt, dupstr("Enter new password: "),
9878 add_prompt(s->cur_prompt, dupstr("Confirm new password: "),
9882 * Loop until the user manages to enter the same
9887 ret = get_userpass_input(s->cur_prompt, NULL, 0);
9890 crWaitUntilV(!pktin);
9891 ret = get_userpass_input(s->cur_prompt, in, inlen);
9896 * Failed to get responses. Terminate.
9898 /* burn the evidence */
9899 free_prompts(s->cur_prompt);
9900 smemclr(s->password, strlen(s->password));
9902 ssh_disconnect(ssh, NULL, "Unable to authenticate",
9903 SSH2_DISCONNECT_AUTH_CANCELLED_BY_USER,
9909 * If the user specified a new original password
9910 * (IYSWIM), overwrite any previously specified
9912 * (A side effect is that the user doesn't have to
9913 * re-enter it if they louse up the new password.)
9915 if (s->cur_prompt->prompts[0]->result[0]) {
9916 smemclr(s->password, strlen(s->password));
9917 /* burn the evidence */
9920 dupstr(s->cur_prompt->prompts[0]->result);
9924 * Check the two new passwords match.
9926 got_new = (strcmp(s->cur_prompt->prompts[1]->result,
9927 s->cur_prompt->prompts[2]->result)
9930 /* They don't. Silly user. */
9931 c_write_str(ssh, "Passwords do not match\r\n");
9936 * Send the new password (along with the old one).
9937 * (see above for padding rationale)
9939 s->pktout = ssh2_pkt_init(SSH2_MSG_USERAUTH_REQUEST);
9940 ssh2_pkt_addstring(s->pktout, ssh->username);
9941 ssh2_pkt_addstring(s->pktout, "ssh-connection");
9942 /* service requested */
9943 ssh2_pkt_addstring(s->pktout, "password");
9944 ssh2_pkt_addbool(s->pktout, TRUE);
9945 ssh2_pkt_addstring(s->pktout, s->password);
9946 ssh2_pkt_addstring(s->pktout,
9947 s->cur_prompt->prompts[1]->result);
9948 free_prompts(s->cur_prompt);
9949 ssh2_pkt_send_with_padding(ssh, s->pktout, 256);
9950 logevent("Sent new password");
9953 * Now see what the server has to say about it.
9954 * (If it's CHANGEREQ again, it's not happy with the
9957 crWaitUntilV(pktin);
9958 changereq_first_time = FALSE;
9963 * We need to reexamine the current pktin at the top
9964 * of the loop. Either:
9965 * - we weren't asked to change password at all, in
9966 * which case it's a SUCCESS or FAILURE with the
9968 * - we sent a new password, and the server was
9969 * either OK with it (SUCCESS or FAILURE w/partial
9970 * success) or unhappy with the _old_ password
9971 * (FAILURE w/o partial success)
9972 * In any of these cases, we go back to the top of
9973 * the loop and start again.
9978 * We don't need the old password any more, in any
9979 * case. Burn the evidence.
9981 smemclr(s->password, strlen(s->password));
9985 char *str = dupprintf("No supported authentication methods available"
9986 " (server sent: %.*s)",
9989 ssh_disconnect(ssh, str,
9990 "No supported authentication methods available",
9991 SSH2_DISCONNECT_NO_MORE_AUTH_METHODS_AVAILABLE,
10001 ssh->packet_dispatch[SSH2_MSG_USERAUTH_BANNER] = NULL;
10003 /* Clear up various bits and pieces from authentication. */
10004 if (s->publickey_blob) {
10005 sfree(s->publickey_blob);
10006 sfree(s->publickey_comment);
10008 if (s->agent_response)
10009 sfree(s->agent_response);
10011 if (s->userauth_success && !ssh->bare_connection) {
10013 * We've just received USERAUTH_SUCCESS, and we haven't sent any
10014 * packets since. Signal the transport layer to consider enacting
10015 * delayed compression.
10017 * (Relying on we_are_in is not sufficient, as
10018 * draft-miller-secsh-compression-delayed is quite clear that it
10019 * triggers on USERAUTH_SUCCESS specifically, and we_are_in can
10020 * become set for other reasons.)
10022 do_ssh2_transport(ssh, "enabling delayed compression", -2, NULL);
10025 ssh->channels = newtree234(ssh_channelcmp);
10028 * Set up handlers for some connection protocol messages, so we
10029 * don't have to handle them repeatedly in this coroutine.
10031 ssh->packet_dispatch[SSH2_MSG_CHANNEL_WINDOW_ADJUST] =
10032 ssh2_msg_channel_window_adjust;
10033 ssh->packet_dispatch[SSH2_MSG_GLOBAL_REQUEST] =
10034 ssh2_msg_global_request;
10037 * Create the main session channel.
10039 if (conf_get_int(ssh->conf, CONF_ssh_no_shell)) {
10040 ssh->mainchan = NULL;
10042 ssh->mainchan = snew(struct ssh_channel);
10043 ssh->mainchan->ssh = ssh;
10044 ssh2_channel_init(ssh->mainchan);
10046 if (*conf_get_str(ssh->conf, CONF_ssh_nc_host)) {
10048 * Just start a direct-tcpip channel and use it as the main
10051 ssh_send_port_open(ssh->mainchan,
10052 conf_get_str(ssh->conf, CONF_ssh_nc_host),
10053 conf_get_int(ssh->conf, CONF_ssh_nc_port),
10055 ssh->ncmode = TRUE;
10057 s->pktout = ssh2_chanopen_init(ssh->mainchan, "session");
10058 logevent("Opening session as main channel");
10059 ssh2_pkt_send(ssh, s->pktout);
10060 ssh->ncmode = FALSE;
10062 crWaitUntilV(pktin);
10063 if (pktin->type != SSH2_MSG_CHANNEL_OPEN_CONFIRMATION) {
10064 bombout(("Server refused to open channel"));
10066 /* FIXME: error data comes back in FAILURE packet */
10068 if (ssh_pkt_getuint32(pktin) != ssh->mainchan->localid) {
10069 bombout(("Server's channel confirmation cited wrong channel"));
10072 ssh->mainchan->remoteid = ssh_pkt_getuint32(pktin);
10073 ssh->mainchan->halfopen = FALSE;
10074 ssh->mainchan->type = CHAN_MAINSESSION;
10075 ssh->mainchan->v.v2.remwindow = ssh_pkt_getuint32(pktin);
10076 ssh->mainchan->v.v2.remmaxpkt = ssh_pkt_getuint32(pktin);
10077 add234(ssh->channels, ssh->mainchan);
10078 update_specials_menu(ssh->frontend);
10079 logevent("Opened main channel");
10083 * Now we have a channel, make dispatch table entries for
10084 * general channel-based messages.
10086 ssh->packet_dispatch[SSH2_MSG_CHANNEL_DATA] =
10087 ssh->packet_dispatch[SSH2_MSG_CHANNEL_EXTENDED_DATA] =
10088 ssh2_msg_channel_data;
10089 ssh->packet_dispatch[SSH2_MSG_CHANNEL_EOF] = ssh2_msg_channel_eof;
10090 ssh->packet_dispatch[SSH2_MSG_CHANNEL_CLOSE] = ssh2_msg_channel_close;
10091 ssh->packet_dispatch[SSH2_MSG_CHANNEL_OPEN_CONFIRMATION] =
10092 ssh2_msg_channel_open_confirmation;
10093 ssh->packet_dispatch[SSH2_MSG_CHANNEL_OPEN_FAILURE] =
10094 ssh2_msg_channel_open_failure;
10095 ssh->packet_dispatch[SSH2_MSG_CHANNEL_REQUEST] =
10096 ssh2_msg_channel_request;
10097 ssh->packet_dispatch[SSH2_MSG_CHANNEL_OPEN] =
10098 ssh2_msg_channel_open;
10099 ssh->packet_dispatch[SSH2_MSG_CHANNEL_SUCCESS] = ssh2_msg_channel_response;
10100 ssh->packet_dispatch[SSH2_MSG_CHANNEL_FAILURE] = ssh2_msg_channel_response;
10103 * Now the connection protocol is properly up and running, with
10104 * all those dispatch table entries, so it's safe to let
10105 * downstreams start trying to open extra channels through us.
10107 if (ssh->connshare)
10108 share_activate(ssh->connshare, ssh->v_s);
10110 if (ssh->mainchan && ssh_is_simple(ssh)) {
10112 * This message indicates to the server that we promise
10113 * not to try to run any other channel in parallel with
10114 * this one, so it's safe for it to advertise a very large
10115 * window and leave the flow control to TCP.
10117 s->pktout = ssh2_chanreq_init(ssh->mainchan,
10118 "simple@putty.projects.tartarus.org",
10120 ssh2_pkt_send(ssh, s->pktout);
10124 * Enable port forwardings.
10126 ssh_setup_portfwd(ssh, ssh->conf);
10128 if (ssh->mainchan && !ssh->ncmode) {
10130 * Send the CHANNEL_REQUESTS for the main session channel.
10131 * Each one is handled by its own little asynchronous
10135 /* Potentially enable X11 forwarding. */
10136 if (conf_get_int(ssh->conf, CONF_x11_forward)) {
10138 x11_setup_display(conf_get_str(ssh->conf, CONF_x11_display),
10140 if (!ssh->x11disp) {
10141 /* FIXME: return an error message from x11_setup_display */
10142 logevent("X11 forwarding not enabled: unable to"
10143 " initialise X display");
10145 ssh->x11auth = x11_invent_fake_auth
10146 (ssh->x11authtree, conf_get_int(ssh->conf, CONF_x11_auth));
10147 ssh->x11auth->disp = ssh->x11disp;
10149 ssh2_setup_x11(ssh->mainchan, NULL, NULL);
10153 /* Potentially enable agent forwarding. */
10154 if (ssh_agent_forwarding_permitted(ssh))
10155 ssh2_setup_agent(ssh->mainchan, NULL, NULL);
10157 /* Now allocate a pty for the session. */
10158 if (!conf_get_int(ssh->conf, CONF_nopty))
10159 ssh2_setup_pty(ssh->mainchan, NULL, NULL);
10161 /* Send environment variables. */
10162 ssh2_setup_env(ssh->mainchan, NULL, NULL);
10165 * Start a shell or a remote command. We may have to attempt
10166 * this twice if the config data has provided a second choice
10173 if (ssh->fallback_cmd) {
10174 subsys = conf_get_int(ssh->conf, CONF_ssh_subsys2);
10175 cmd = conf_get_str(ssh->conf, CONF_remote_cmd2);
10177 subsys = conf_get_int(ssh->conf, CONF_ssh_subsys);
10178 cmd = conf_get_str(ssh->conf, CONF_remote_cmd);
10182 s->pktout = ssh2_chanreq_init(ssh->mainchan, "subsystem",
10183 ssh2_response_authconn, NULL);
10184 ssh2_pkt_addstring(s->pktout, cmd);
10186 s->pktout = ssh2_chanreq_init(ssh->mainchan, "exec",
10187 ssh2_response_authconn, NULL);
10188 ssh2_pkt_addstring(s->pktout, cmd);
10190 s->pktout = ssh2_chanreq_init(ssh->mainchan, "shell",
10191 ssh2_response_authconn, NULL);
10193 ssh2_pkt_send(ssh, s->pktout);
10195 crWaitUntilV(pktin);
10197 if (pktin->type != SSH2_MSG_CHANNEL_SUCCESS) {
10198 if (pktin->type != SSH2_MSG_CHANNEL_FAILURE) {
10199 bombout(("Unexpected response to shell/command request:"
10200 " packet type %d", pktin->type));
10204 * We failed to start the command. If this is the
10205 * fallback command, we really are finished; if it's
10206 * not, and if the fallback command exists, try falling
10207 * back to it before complaining.
10209 if (!ssh->fallback_cmd &&
10210 *conf_get_str(ssh->conf, CONF_remote_cmd2)) {
10211 logevent("Primary command failed; attempting fallback");
10212 ssh->fallback_cmd = TRUE;
10215 bombout(("Server refused to start a shell/command"));
10218 logevent("Started a shell/command");
10223 ssh->editing = ssh->echoing = TRUE;
10226 ssh->state = SSH_STATE_SESSION;
10227 if (ssh->size_needed)
10228 ssh_size(ssh, ssh->term_width, ssh->term_height);
10229 if (ssh->eof_needed)
10230 ssh_special(ssh, TS_EOF);
10236 ldisc_send(ssh->ldisc, NULL, 0, 0);/* cause ldisc to notice changes */
10241 s->try_send = FALSE;
10245 * _All_ the connection-layer packets we expect to
10246 * receive are now handled by the dispatch table.
10247 * Anything that reaches here must be bogus.
10250 bombout(("Strange packet received: type %d", pktin->type));
10252 } else if (ssh->mainchan) {
10254 * We have spare data. Add it to the channel buffer.
10256 ssh2_add_channel_data(ssh->mainchan, (char *)in, inlen);
10257 s->try_send = TRUE;
10261 struct ssh_channel *c;
10263 * Try to send data on all channels if we can.
10265 for (i = 0; NULL != (c = index234(ssh->channels, i)); i++)
10266 ssh2_try_send_and_unthrottle(ssh, c);
10274 * Handlers for SSH-2 messages that might arrive at any moment.
10276 static void ssh2_msg_disconnect(Ssh ssh, struct Packet *pktin)
10278 /* log reason code in disconnect message */
10280 int reason, msglen;
10282 reason = ssh_pkt_getuint32(pktin);
10283 ssh_pkt_getstring(pktin, &msg, &msglen);
10285 if (reason > 0 && reason < lenof(ssh2_disconnect_reasons)) {
10286 buf = dupprintf("Received disconnect message (%s)",
10287 ssh2_disconnect_reasons[reason]);
10289 buf = dupprintf("Received disconnect message (unknown"
10290 " type %d)", reason);
10294 buf = dupprintf("Disconnection message text: %.*s",
10297 bombout(("Server sent disconnect message\ntype %d (%s):\n\"%.*s\"",
10299 (reason > 0 && reason < lenof(ssh2_disconnect_reasons)) ?
10300 ssh2_disconnect_reasons[reason] : "unknown",
10305 static void ssh2_msg_debug(Ssh ssh, struct Packet *pktin)
10307 /* log the debug message */
10311 /* XXX maybe we should actually take notice of the return value */
10312 ssh2_pkt_getbool(pktin);
10313 ssh_pkt_getstring(pktin, &msg, &msglen);
10315 logeventf(ssh, "Remote debug message: %.*s", msglen, msg);
10318 static void ssh2_msg_transport(Ssh ssh, struct Packet *pktin)
10320 do_ssh2_transport(ssh, NULL, 0, pktin);
10324 * Called if we receive a packet that isn't allowed by the protocol.
10325 * This only applies to packets whose meaning PuTTY understands.
10326 * Entirely unknown packets are handled below.
10328 static void ssh2_msg_unexpected(Ssh ssh, struct Packet *pktin)
10330 char *buf = dupprintf("Server protocol violation: unexpected %s packet",
10331 ssh2_pkt_type(ssh->pkt_kctx, ssh->pkt_actx,
10333 ssh_disconnect(ssh, NULL, buf, SSH2_DISCONNECT_PROTOCOL_ERROR, FALSE);
10337 static void ssh2_msg_something_unimplemented(Ssh ssh, struct Packet *pktin)
10339 struct Packet *pktout;
10340 pktout = ssh2_pkt_init(SSH2_MSG_UNIMPLEMENTED);
10341 ssh2_pkt_adduint32(pktout, pktin->sequence);
10343 * UNIMPLEMENTED messages MUST appear in the same order as the
10344 * messages they respond to. Hence, never queue them.
10346 ssh2_pkt_send_noqueue(ssh, pktout);
10350 * Handle the top-level SSH-2 protocol.
10352 static void ssh2_protocol_setup(Ssh ssh)
10357 * Most messages cause SSH2_MSG_UNIMPLEMENTED.
10359 for (i = 0; i < 256; i++)
10360 ssh->packet_dispatch[i] = ssh2_msg_something_unimplemented;
10363 * Initially, we only accept transport messages (and a few generic
10364 * ones). do_ssh2_authconn will add more when it starts.
10365 * Messages that are understood but not currently acceptable go to
10366 * ssh2_msg_unexpected.
10368 ssh->packet_dispatch[SSH2_MSG_UNIMPLEMENTED] = ssh2_msg_unexpected;
10369 ssh->packet_dispatch[SSH2_MSG_SERVICE_REQUEST] = ssh2_msg_unexpected;
10370 ssh->packet_dispatch[SSH2_MSG_SERVICE_ACCEPT] = ssh2_msg_unexpected;
10371 ssh->packet_dispatch[SSH2_MSG_KEXINIT] = ssh2_msg_transport;
10372 ssh->packet_dispatch[SSH2_MSG_NEWKEYS] = ssh2_msg_transport;
10373 ssh->packet_dispatch[SSH2_MSG_KEXDH_INIT] = ssh2_msg_transport;
10374 ssh->packet_dispatch[SSH2_MSG_KEXDH_REPLY] = ssh2_msg_transport;
10375 /* ssh->packet_dispatch[SSH2_MSG_KEX_DH_GEX_REQUEST] = ssh2_msg_transport; duplicate case value */
10376 /* ssh->packet_dispatch[SSH2_MSG_KEX_DH_GEX_GROUP] = ssh2_msg_transport; duplicate case value */
10377 ssh->packet_dispatch[SSH2_MSG_KEX_DH_GEX_INIT] = ssh2_msg_transport;
10378 ssh->packet_dispatch[SSH2_MSG_KEX_DH_GEX_REPLY] = ssh2_msg_transport;
10379 ssh->packet_dispatch[SSH2_MSG_USERAUTH_REQUEST] = ssh2_msg_unexpected;
10380 ssh->packet_dispatch[SSH2_MSG_USERAUTH_FAILURE] = ssh2_msg_unexpected;
10381 ssh->packet_dispatch[SSH2_MSG_USERAUTH_SUCCESS] = ssh2_msg_unexpected;
10382 ssh->packet_dispatch[SSH2_MSG_USERAUTH_BANNER] = ssh2_msg_unexpected;
10383 ssh->packet_dispatch[SSH2_MSG_USERAUTH_PK_OK] = ssh2_msg_unexpected;
10384 /* ssh->packet_dispatch[SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ] = ssh2_msg_unexpected; duplicate case value */
10385 /* ssh->packet_dispatch[SSH2_MSG_USERAUTH_INFO_REQUEST] = ssh2_msg_unexpected; duplicate case value */
10386 ssh->packet_dispatch[SSH2_MSG_USERAUTH_INFO_RESPONSE] = ssh2_msg_unexpected;
10387 ssh->packet_dispatch[SSH2_MSG_GLOBAL_REQUEST] = ssh2_msg_unexpected;
10388 ssh->packet_dispatch[SSH2_MSG_REQUEST_SUCCESS] = ssh2_msg_unexpected;
10389 ssh->packet_dispatch[SSH2_MSG_REQUEST_FAILURE] = ssh2_msg_unexpected;
10390 ssh->packet_dispatch[SSH2_MSG_CHANNEL_OPEN] = ssh2_msg_unexpected;
10391 ssh->packet_dispatch[SSH2_MSG_CHANNEL_OPEN_CONFIRMATION] = ssh2_msg_unexpected;
10392 ssh->packet_dispatch[SSH2_MSG_CHANNEL_OPEN_FAILURE] = ssh2_msg_unexpected;
10393 ssh->packet_dispatch[SSH2_MSG_CHANNEL_WINDOW_ADJUST] = ssh2_msg_unexpected;
10394 ssh->packet_dispatch[SSH2_MSG_CHANNEL_DATA] = ssh2_msg_unexpected;
10395 ssh->packet_dispatch[SSH2_MSG_CHANNEL_EXTENDED_DATA] = ssh2_msg_unexpected;
10396 ssh->packet_dispatch[SSH2_MSG_CHANNEL_EOF] = ssh2_msg_unexpected;
10397 ssh->packet_dispatch[SSH2_MSG_CHANNEL_CLOSE] = ssh2_msg_unexpected;
10398 ssh->packet_dispatch[SSH2_MSG_CHANNEL_REQUEST] = ssh2_msg_unexpected;
10399 ssh->packet_dispatch[SSH2_MSG_CHANNEL_SUCCESS] = ssh2_msg_unexpected;
10400 ssh->packet_dispatch[SSH2_MSG_CHANNEL_FAILURE] = ssh2_msg_unexpected;
10403 * These messages have a special handler from the start.
10405 ssh->packet_dispatch[SSH2_MSG_DISCONNECT] = ssh2_msg_disconnect;
10406 ssh->packet_dispatch[SSH2_MSG_IGNORE] = ssh_msg_ignore; /* shared with SSH-1 */
10407 ssh->packet_dispatch[SSH2_MSG_DEBUG] = ssh2_msg_debug;
10410 static void ssh2_bare_connection_protocol_setup(Ssh ssh)
10415 * Most messages cause SSH2_MSG_UNIMPLEMENTED.
10417 for (i = 0; i < 256; i++)
10418 ssh->packet_dispatch[i] = ssh2_msg_something_unimplemented;
10421 * Initially, we set all ssh-connection messages to 'unexpected';
10422 * do_ssh2_authconn will fill things in properly. We also handle a
10423 * couple of messages from the transport protocol which aren't
10424 * related to key exchange (UNIMPLEMENTED, IGNORE, DEBUG,
10427 ssh->packet_dispatch[SSH2_MSG_GLOBAL_REQUEST] = ssh2_msg_unexpected;
10428 ssh->packet_dispatch[SSH2_MSG_REQUEST_SUCCESS] = ssh2_msg_unexpected;
10429 ssh->packet_dispatch[SSH2_MSG_REQUEST_FAILURE] = ssh2_msg_unexpected;
10430 ssh->packet_dispatch[SSH2_MSG_CHANNEL_OPEN] = ssh2_msg_unexpected;
10431 ssh->packet_dispatch[SSH2_MSG_CHANNEL_OPEN_CONFIRMATION] = ssh2_msg_unexpected;
10432 ssh->packet_dispatch[SSH2_MSG_CHANNEL_OPEN_FAILURE] = ssh2_msg_unexpected;
10433 ssh->packet_dispatch[SSH2_MSG_CHANNEL_WINDOW_ADJUST] = ssh2_msg_unexpected;
10434 ssh->packet_dispatch[SSH2_MSG_CHANNEL_DATA] = ssh2_msg_unexpected;
10435 ssh->packet_dispatch[SSH2_MSG_CHANNEL_EXTENDED_DATA] = ssh2_msg_unexpected;
10436 ssh->packet_dispatch[SSH2_MSG_CHANNEL_EOF] = ssh2_msg_unexpected;
10437 ssh->packet_dispatch[SSH2_MSG_CHANNEL_CLOSE] = ssh2_msg_unexpected;
10438 ssh->packet_dispatch[SSH2_MSG_CHANNEL_REQUEST] = ssh2_msg_unexpected;
10439 ssh->packet_dispatch[SSH2_MSG_CHANNEL_SUCCESS] = ssh2_msg_unexpected;
10440 ssh->packet_dispatch[SSH2_MSG_CHANNEL_FAILURE] = ssh2_msg_unexpected;
10442 ssh->packet_dispatch[SSH2_MSG_UNIMPLEMENTED] = ssh2_msg_unexpected;
10445 * These messages have a special handler from the start.
10447 ssh->packet_dispatch[SSH2_MSG_DISCONNECT] = ssh2_msg_disconnect;
10448 ssh->packet_dispatch[SSH2_MSG_IGNORE] = ssh_msg_ignore;
10449 ssh->packet_dispatch[SSH2_MSG_DEBUG] = ssh2_msg_debug;
10452 static void ssh2_timer(void *ctx, unsigned long now)
10454 Ssh ssh = (Ssh)ctx;
10456 if (ssh->state == SSH_STATE_CLOSED)
10459 if (!ssh->kex_in_progress && !ssh->bare_connection &&
10460 conf_get_int(ssh->conf, CONF_ssh_rekey_time) != 0 &&
10461 now == ssh->next_rekey) {
10462 do_ssh2_transport(ssh, "timeout", -1, NULL);
10466 static void ssh2_protocol(Ssh ssh, void *vin, int inlen,
10467 struct Packet *pktin)
10469 unsigned char *in = (unsigned char *)vin;
10470 if (ssh->state == SSH_STATE_CLOSED)
10474 ssh->incoming_data_size += pktin->encrypted_len;
10475 if (!ssh->kex_in_progress &&
10476 ssh->max_data_size != 0 &&
10477 ssh->incoming_data_size > ssh->max_data_size)
10478 do_ssh2_transport(ssh, "too much data received", -1, NULL);
10482 ssh->packet_dispatch[pktin->type](ssh, pktin);
10483 else if (!ssh->protocol_initial_phase_done)
10484 do_ssh2_transport(ssh, in, inlen, pktin);
10486 do_ssh2_authconn(ssh, in, inlen, pktin);
10489 static void ssh2_bare_connection_protocol(Ssh ssh, void *vin, int inlen,
10490 struct Packet *pktin)
10492 unsigned char *in = (unsigned char *)vin;
10493 if (ssh->state == SSH_STATE_CLOSED)
10497 ssh->packet_dispatch[pktin->type](ssh, pktin);
10499 do_ssh2_authconn(ssh, in, inlen, pktin);
10502 static void ssh_cache_conf_values(Ssh ssh)
10504 ssh->logomitdata = conf_get_int(ssh->conf, CONF_logomitdata);
10508 * Called to set up the connection.
10510 * Returns an error message, or NULL on success.
10512 static const char *ssh_init(void *frontend_handle, void **backend_handle,
10513 Conf *conf, char *host, int port, char **realhost,
10514 int nodelay, int keepalive)
10519 ssh = snew(struct ssh_tag);
10520 ssh->conf = conf_copy(conf);
10521 ssh_cache_conf_values(ssh);
10522 ssh->version = 0; /* when not ready yet */
10524 ssh->cipher = NULL;
10525 ssh->v1_cipher_ctx = NULL;
10526 ssh->crcda_ctx = NULL;
10527 ssh->cscipher = NULL;
10528 ssh->cs_cipher_ctx = NULL;
10529 ssh->sccipher = NULL;
10530 ssh->sc_cipher_ctx = NULL;
10532 ssh->cs_mac_ctx = NULL;
10534 ssh->sc_mac_ctx = NULL;
10535 ssh->cscomp = NULL;
10536 ssh->cs_comp_ctx = NULL;
10537 ssh->sccomp = NULL;
10538 ssh->sc_comp_ctx = NULL;
10540 ssh->kex_ctx = NULL;
10541 ssh->hostkey = NULL;
10542 ssh->hostkey_str = NULL;
10543 ssh->exitcode = -1;
10544 ssh->close_expected = FALSE;
10545 ssh->clean_exit = FALSE;
10546 ssh->state = SSH_STATE_PREPACKET;
10547 ssh->size_needed = FALSE;
10548 ssh->eof_needed = FALSE;
10550 ssh->logctx = NULL;
10551 ssh->deferred_send_data = NULL;
10552 ssh->deferred_len = 0;
10553 ssh->deferred_size = 0;
10554 ssh->fallback_cmd = 0;
10555 ssh->pkt_kctx = SSH2_PKTCTX_NOKEX;
10556 ssh->pkt_actx = SSH2_PKTCTX_NOAUTH;
10557 ssh->x11disp = NULL;
10558 ssh->x11auth = NULL;
10559 ssh->x11authtree = newtree234(x11_authcmp);
10560 ssh->v1_compressing = FALSE;
10561 ssh->v2_outgoing_sequence = 0;
10562 ssh->ssh1_rdpkt_crstate = 0;
10563 ssh->ssh2_rdpkt_crstate = 0;
10564 ssh->ssh2_bare_rdpkt_crstate = 0;
10565 ssh->ssh_gotdata_crstate = 0;
10566 ssh->do_ssh1_connection_crstate = 0;
10567 ssh->do_ssh_init_state = NULL;
10568 ssh->do_ssh_connection_init_state = NULL;
10569 ssh->do_ssh1_login_state = NULL;
10570 ssh->do_ssh2_transport_state = NULL;
10571 ssh->do_ssh2_authconn_state = NULL;
10574 ssh->mainchan = NULL;
10575 ssh->throttled_all = 0;
10576 ssh->v1_stdout_throttling = 0;
10578 ssh->queuelen = ssh->queuesize = 0;
10579 ssh->queueing = FALSE;
10580 ssh->qhead = ssh->qtail = NULL;
10581 ssh->deferred_rekey_reason = NULL;
10582 bufchain_init(&ssh->queued_incoming_data);
10583 ssh->frozen = FALSE;
10584 ssh->username = NULL;
10585 ssh->sent_console_eof = FALSE;
10586 ssh->got_pty = FALSE;
10587 ssh->bare_connection = FALSE;
10588 ssh->attempting_connshare = FALSE;
10590 *backend_handle = ssh;
10593 if (crypto_startup() == 0)
10594 return "Microsoft high encryption pack not installed!";
10597 ssh->frontend = frontend_handle;
10598 ssh->term_width = conf_get_int(ssh->conf, CONF_width);
10599 ssh->term_height = conf_get_int(ssh->conf, CONF_height);
10601 ssh->channels = NULL;
10602 ssh->rportfwds = NULL;
10603 ssh->portfwds = NULL;
10608 ssh->conn_throttle_count = 0;
10609 ssh->overall_bufsize = 0;
10610 ssh->fallback_cmd = 0;
10612 ssh->protocol = NULL;
10614 ssh->protocol_initial_phase_done = FALSE;
10616 ssh->pinger = NULL;
10618 ssh->incoming_data_size = ssh->outgoing_data_size =
10619 ssh->deferred_data_size = 0L;
10620 ssh->max_data_size = parse_blocksize(conf_get_str(ssh->conf,
10621 CONF_ssh_rekey_data));
10622 ssh->kex_in_progress = FALSE;
10625 ssh->gsslibs = NULL;
10628 random_ref(); /* do this now - may be needed by sharing setup code */
10630 p = connect_to_host(ssh, host, port, realhost, nodelay, keepalive);
10639 static void ssh_free(void *handle)
10641 Ssh ssh = (Ssh) handle;
10642 struct ssh_channel *c;
10643 struct ssh_rportfwd *pf;
10644 struct X11FakeAuth *auth;
10646 if (ssh->v1_cipher_ctx)
10647 ssh->cipher->free_context(ssh->v1_cipher_ctx);
10648 if (ssh->cs_cipher_ctx)
10649 ssh->cscipher->free_context(ssh->cs_cipher_ctx);
10650 if (ssh->sc_cipher_ctx)
10651 ssh->sccipher->free_context(ssh->sc_cipher_ctx);
10652 if (ssh->cs_mac_ctx)
10653 ssh->csmac->free_context(ssh->cs_mac_ctx);
10654 if (ssh->sc_mac_ctx)
10655 ssh->scmac->free_context(ssh->sc_mac_ctx);
10656 if (ssh->cs_comp_ctx) {
10658 ssh->cscomp->compress_cleanup(ssh->cs_comp_ctx);
10660 zlib_compress_cleanup(ssh->cs_comp_ctx);
10662 if (ssh->sc_comp_ctx) {
10664 ssh->sccomp->decompress_cleanup(ssh->sc_comp_ctx);
10666 zlib_decompress_cleanup(ssh->sc_comp_ctx);
10669 dh_cleanup(ssh->kex_ctx);
10670 sfree(ssh->savedhost);
10672 while (ssh->queuelen-- > 0)
10673 ssh_free_packet(ssh->queue[ssh->queuelen]);
10676 while (ssh->qhead) {
10677 struct queued_handler *qh = ssh->qhead;
10678 ssh->qhead = qh->next;
10681 ssh->qhead = ssh->qtail = NULL;
10683 if (ssh->channels) {
10684 while ((c = delpos234(ssh->channels, 0)) != NULL) {
10687 if (c->u.x11.xconn != NULL)
10688 x11_close(c->u.x11.xconn);
10690 case CHAN_SOCKDATA:
10691 case CHAN_SOCKDATA_DORMANT:
10692 if (c->u.pfd.pf != NULL)
10693 pfd_close(c->u.pfd.pf);
10696 if (ssh->version == 2) {
10697 struct outstanding_channel_request *ocr, *nocr;
10698 ocr = c->v.v2.chanreq_head;
10700 ocr->handler(c, NULL, ocr->ctx);
10705 bufchain_clear(&c->v.v2.outbuffer);
10709 freetree234(ssh->channels);
10710 ssh->channels = NULL;
10713 if (ssh->connshare)
10714 sharestate_free(ssh->connshare);
10716 if (ssh->rportfwds) {
10717 while ((pf = delpos234(ssh->rportfwds, 0)) != NULL)
10719 freetree234(ssh->rportfwds);
10720 ssh->rportfwds = NULL;
10722 sfree(ssh->deferred_send_data);
10724 x11_free_display(ssh->x11disp);
10725 while ((auth = delpos234(ssh->x11authtree, 0)) != NULL)
10726 x11_free_fake_auth(auth);
10727 freetree234(ssh->x11authtree);
10728 sfree(ssh->do_ssh_init_state);
10729 sfree(ssh->do_ssh1_login_state);
10730 sfree(ssh->do_ssh2_transport_state);
10731 sfree(ssh->do_ssh2_authconn_state);
10734 sfree(ssh->fullhostname);
10735 sfree(ssh->hostkey_str);
10736 if (ssh->crcda_ctx) {
10737 crcda_free_context(ssh->crcda_ctx);
10738 ssh->crcda_ctx = NULL;
10741 ssh_do_close(ssh, TRUE);
10742 expire_timer_context(ssh);
10744 pinger_free(ssh->pinger);
10745 bufchain_clear(&ssh->queued_incoming_data);
10746 sfree(ssh->username);
10747 conf_free(ssh->conf);
10750 ssh_gss_cleanup(ssh->gsslibs);
10758 * Reconfigure the SSH backend.
10760 static void ssh_reconfig(void *handle, Conf *conf)
10762 Ssh ssh = (Ssh) handle;
10763 char *rekeying = NULL, rekey_mandatory = FALSE;
10764 unsigned long old_max_data_size;
10767 pinger_reconfig(ssh->pinger, ssh->conf, conf);
10769 ssh_setup_portfwd(ssh, conf);
10771 rekey_time = conf_get_int(conf, CONF_ssh_rekey_time);
10772 if (conf_get_int(ssh->conf, CONF_ssh_rekey_time) != rekey_time &&
10774 unsigned long new_next = ssh->last_rekey + rekey_time*60*TICKSPERSEC;
10775 unsigned long now = GETTICKCOUNT();
10777 if (now - ssh->last_rekey > rekey_time*60*TICKSPERSEC) {
10778 rekeying = "timeout shortened";
10780 ssh->next_rekey = schedule_timer(new_next - now, ssh2_timer, ssh);
10784 old_max_data_size = ssh->max_data_size;
10785 ssh->max_data_size = parse_blocksize(conf_get_str(ssh->conf,
10786 CONF_ssh_rekey_data));
10787 if (old_max_data_size != ssh->max_data_size &&
10788 ssh->max_data_size != 0) {
10789 if (ssh->outgoing_data_size > ssh->max_data_size ||
10790 ssh->incoming_data_size > ssh->max_data_size)
10791 rekeying = "data limit lowered";
10794 if (conf_get_int(ssh->conf, CONF_compression) !=
10795 conf_get_int(conf, CONF_compression)) {
10796 rekeying = "compression setting changed";
10797 rekey_mandatory = TRUE;
10800 for (i = 0; i < CIPHER_MAX; i++)
10801 if (conf_get_int_int(ssh->conf, CONF_ssh_cipherlist, i) !=
10802 conf_get_int_int(conf, CONF_ssh_cipherlist, i)) {
10803 rekeying = "cipher settings changed";
10804 rekey_mandatory = TRUE;
10806 if (conf_get_int(ssh->conf, CONF_ssh2_des_cbc) !=
10807 conf_get_int(conf, CONF_ssh2_des_cbc)) {
10808 rekeying = "cipher settings changed";
10809 rekey_mandatory = TRUE;
10812 conf_free(ssh->conf);
10813 ssh->conf = conf_copy(conf);
10814 ssh_cache_conf_values(ssh);
10816 if (!ssh->bare_connection && rekeying) {
10817 if (!ssh->kex_in_progress) {
10818 do_ssh2_transport(ssh, rekeying, -1, NULL);
10819 } else if (rekey_mandatory) {
10820 ssh->deferred_rekey_reason = rekeying;
10826 * Called to send data down the SSH connection.
10828 static int ssh_send(void *handle, char *buf, int len)
10830 Ssh ssh = (Ssh) handle;
10832 if (ssh == NULL || ssh->s == NULL || ssh->protocol == NULL)
10835 ssh->protocol(ssh, (unsigned char *)buf, len, 0);
10837 return ssh_sendbuffer(ssh);
10841 * Called to query the current amount of buffered stdin data.
10843 static int ssh_sendbuffer(void *handle)
10845 Ssh ssh = (Ssh) handle;
10846 int override_value;
10848 if (ssh == NULL || ssh->s == NULL || ssh->protocol == NULL)
10852 * If the SSH socket itself has backed up, add the total backup
10853 * size on that to any individual buffer on the stdin channel.
10855 override_value = 0;
10856 if (ssh->throttled_all)
10857 override_value = ssh->overall_bufsize;
10859 if (ssh->version == 1) {
10860 return override_value;
10861 } else if (ssh->version == 2) {
10862 if (!ssh->mainchan)
10863 return override_value;
10865 return (override_value +
10866 bufchain_size(&ssh->mainchan->v.v2.outbuffer));
10873 * Called to set the size of the window from SSH's POV.
10875 static void ssh_size(void *handle, int width, int height)
10877 Ssh ssh = (Ssh) handle;
10878 struct Packet *pktout;
10880 ssh->term_width = width;
10881 ssh->term_height = height;
10883 switch (ssh->state) {
10884 case SSH_STATE_BEFORE_SIZE:
10885 case SSH_STATE_PREPACKET:
10886 case SSH_STATE_CLOSED:
10887 break; /* do nothing */
10888 case SSH_STATE_INTERMED:
10889 ssh->size_needed = TRUE; /* buffer for later */
10891 case SSH_STATE_SESSION:
10892 if (!conf_get_int(ssh->conf, CONF_nopty)) {
10893 if (ssh->version == 1) {
10894 send_packet(ssh, SSH1_CMSG_WINDOW_SIZE,
10895 PKT_INT, ssh->term_height,
10896 PKT_INT, ssh->term_width,
10897 PKT_INT, 0, PKT_INT, 0, PKT_END);
10898 } else if (ssh->mainchan) {
10899 pktout = ssh2_chanreq_init(ssh->mainchan, "window-change",
10901 ssh2_pkt_adduint32(pktout, ssh->term_width);
10902 ssh2_pkt_adduint32(pktout, ssh->term_height);
10903 ssh2_pkt_adduint32(pktout, 0);
10904 ssh2_pkt_adduint32(pktout, 0);
10905 ssh2_pkt_send(ssh, pktout);
10913 * Return a list of the special codes that make sense in this
10916 static const struct telnet_special *ssh_get_specials(void *handle)
10918 static const struct telnet_special ssh1_ignore_special[] = {
10919 {"IGNORE message", TS_NOP}
10921 static const struct telnet_special ssh2_ignore_special[] = {
10922 {"IGNORE message", TS_NOP},
10924 static const struct telnet_special ssh2_rekey_special[] = {
10925 {"Repeat key exchange", TS_REKEY},
10927 static const struct telnet_special ssh2_session_specials[] = {
10930 /* These are the signal names defined by RFC 4254.
10931 * They include all the ISO C signals, but are a subset of the POSIX
10932 * required signals. */
10933 {"SIGINT (Interrupt)", TS_SIGINT},
10934 {"SIGTERM (Terminate)", TS_SIGTERM},
10935 {"SIGKILL (Kill)", TS_SIGKILL},
10936 {"SIGQUIT (Quit)", TS_SIGQUIT},
10937 {"SIGHUP (Hangup)", TS_SIGHUP},
10938 {"More signals", TS_SUBMENU},
10939 {"SIGABRT", TS_SIGABRT}, {"SIGALRM", TS_SIGALRM},
10940 {"SIGFPE", TS_SIGFPE}, {"SIGILL", TS_SIGILL},
10941 {"SIGPIPE", TS_SIGPIPE}, {"SIGSEGV", TS_SIGSEGV},
10942 {"SIGUSR1", TS_SIGUSR1}, {"SIGUSR2", TS_SIGUSR2},
10943 {NULL, TS_EXITMENU}
10945 static const struct telnet_special specials_end[] = {
10946 {NULL, TS_EXITMENU}
10948 /* XXX review this length for any changes: */
10949 static struct telnet_special ssh_specials[lenof(ssh2_ignore_special) +
10950 lenof(ssh2_rekey_special) +
10951 lenof(ssh2_session_specials) +
10952 lenof(specials_end)];
10953 Ssh ssh = (Ssh) handle;
10955 #define ADD_SPECIALS(name) \
10957 assert((i + lenof(name)) <= lenof(ssh_specials)); \
10958 memcpy(&ssh_specials[i], name, sizeof name); \
10959 i += lenof(name); \
10962 if (ssh->version == 1) {
10963 /* Don't bother offering IGNORE if we've decided the remote
10964 * won't cope with it, since we wouldn't bother sending it if
10966 if (!(ssh->remote_bugs & BUG_CHOKES_ON_SSH1_IGNORE))
10967 ADD_SPECIALS(ssh1_ignore_special);
10968 } else if (ssh->version == 2) {
10969 if (!(ssh->remote_bugs & BUG_CHOKES_ON_SSH2_IGNORE))
10970 ADD_SPECIALS(ssh2_ignore_special);
10971 if (!(ssh->remote_bugs & BUG_SSH2_REKEY) && !ssh->bare_connection)
10972 ADD_SPECIALS(ssh2_rekey_special);
10974 ADD_SPECIALS(ssh2_session_specials);
10975 } /* else we're not ready yet */
10978 ADD_SPECIALS(specials_end);
10979 return ssh_specials;
10983 #undef ADD_SPECIALS
10987 * Send special codes. TS_EOF is useful for `plink', so you
10988 * can send an EOF and collect resulting output (e.g. `plink
10991 static void ssh_special(void *handle, Telnet_Special code)
10993 Ssh ssh = (Ssh) handle;
10994 struct Packet *pktout;
10996 if (code == TS_EOF) {
10997 if (ssh->state != SSH_STATE_SESSION) {
10999 * Buffer the EOF in case we are pre-SESSION, so we can
11000 * send it as soon as we reach SESSION.
11002 if (code == TS_EOF)
11003 ssh->eof_needed = TRUE;
11006 if (ssh->version == 1) {
11007 send_packet(ssh, SSH1_CMSG_EOF, PKT_END);
11008 } else if (ssh->mainchan) {
11009 sshfwd_write_eof(ssh->mainchan);
11010 ssh->send_ok = 0; /* now stop trying to read from stdin */
11012 logevent("Sent EOF message");
11013 } else if (code == TS_PING || code == TS_NOP) {
11014 if (ssh->state == SSH_STATE_CLOSED
11015 || ssh->state == SSH_STATE_PREPACKET) return;
11016 if (ssh->version == 1) {
11017 if (!(ssh->remote_bugs & BUG_CHOKES_ON_SSH1_IGNORE))
11018 send_packet(ssh, SSH1_MSG_IGNORE, PKT_STR, "", PKT_END);
11020 if (!(ssh->remote_bugs & BUG_CHOKES_ON_SSH2_IGNORE)) {
11021 pktout = ssh2_pkt_init(SSH2_MSG_IGNORE);
11022 ssh2_pkt_addstring_start(pktout);
11023 ssh2_pkt_send_noqueue(ssh, pktout);
11026 } else if (code == TS_REKEY) {
11027 if (!ssh->kex_in_progress && !ssh->bare_connection &&
11028 ssh->version == 2) {
11029 do_ssh2_transport(ssh, "at user request", -1, NULL);
11031 } else if (code == TS_BRK) {
11032 if (ssh->state == SSH_STATE_CLOSED
11033 || ssh->state == SSH_STATE_PREPACKET) return;
11034 if (ssh->version == 1) {
11035 logevent("Unable to send BREAK signal in SSH-1");
11036 } else if (ssh->mainchan) {
11037 pktout = ssh2_chanreq_init(ssh->mainchan, "break", NULL, NULL);
11038 ssh2_pkt_adduint32(pktout, 0); /* default break length */
11039 ssh2_pkt_send(ssh, pktout);
11042 /* Is is a POSIX signal? */
11043 char *signame = NULL;
11044 if (code == TS_SIGABRT) signame = "ABRT";
11045 if (code == TS_SIGALRM) signame = "ALRM";
11046 if (code == TS_SIGFPE) signame = "FPE";
11047 if (code == TS_SIGHUP) signame = "HUP";
11048 if (code == TS_SIGILL) signame = "ILL";
11049 if (code == TS_SIGINT) signame = "INT";
11050 if (code == TS_SIGKILL) signame = "KILL";
11051 if (code == TS_SIGPIPE) signame = "PIPE";
11052 if (code == TS_SIGQUIT) signame = "QUIT";
11053 if (code == TS_SIGSEGV) signame = "SEGV";
11054 if (code == TS_SIGTERM) signame = "TERM";
11055 if (code == TS_SIGUSR1) signame = "USR1";
11056 if (code == TS_SIGUSR2) signame = "USR2";
11057 /* The SSH-2 protocol does in principle support arbitrary named
11058 * signals, including signame@domain, but we don't support those. */
11060 /* It's a signal. */
11061 if (ssh->version == 2 && ssh->mainchan) {
11062 pktout = ssh2_chanreq_init(ssh->mainchan, "signal", NULL, NULL);
11063 ssh2_pkt_addstring(pktout, signame);
11064 ssh2_pkt_send(ssh, pktout);
11065 logeventf(ssh, "Sent signal SIG%s", signame);
11068 /* Never heard of it. Do nothing */
11073 void *new_sock_channel(void *handle, struct PortForwarding *pf)
11075 Ssh ssh = (Ssh) handle;
11076 struct ssh_channel *c;
11077 c = snew(struct ssh_channel);
11080 ssh2_channel_init(c);
11081 c->halfopen = TRUE;
11082 c->type = CHAN_SOCKDATA_DORMANT;/* identify channel type */
11084 add234(ssh->channels, c);
11088 unsigned ssh_alloc_sharing_channel(Ssh ssh, void *sharing_ctx)
11090 struct ssh_channel *c;
11091 c = snew(struct ssh_channel);
11094 ssh2_channel_init(c);
11095 c->type = CHAN_SHARING;
11096 c->u.sharing.ctx = sharing_ctx;
11097 add234(ssh->channels, c);
11101 void ssh_delete_sharing_channel(Ssh ssh, unsigned localid)
11103 struct ssh_channel *c;
11105 c = find234(ssh->channels, &localid, ssh_channelfind);
11107 ssh_channel_destroy(c);
11110 void ssh_send_packet_from_downstream(Ssh ssh, unsigned id, int type,
11111 const void *data, int datalen,
11112 const char *additional_log_text)
11114 struct Packet *pkt;
11116 pkt = ssh2_pkt_init(type);
11117 pkt->downstream_id = id;
11118 pkt->additional_log_text = additional_log_text;
11119 ssh2_pkt_adddata(pkt, data, datalen);
11120 ssh2_pkt_send(ssh, pkt);
11124 * This is called when stdout/stderr (the entity to which
11125 * from_backend sends data) manages to clear some backlog.
11127 static void ssh_unthrottle(void *handle, int bufsize)
11129 Ssh ssh = (Ssh) handle;
11132 if (ssh->version == 1) {
11133 if (ssh->v1_stdout_throttling && bufsize < SSH1_BUFFER_LIMIT) {
11134 ssh->v1_stdout_throttling = 0;
11135 ssh_throttle_conn(ssh, -1);
11138 if (ssh->mainchan) {
11139 ssh2_set_window(ssh->mainchan,
11140 bufsize < ssh->mainchan->v.v2.locmaxwin ?
11141 ssh->mainchan->v.v2.locmaxwin - bufsize : 0);
11142 if (ssh_is_simple(ssh))
11145 buflimit = ssh->mainchan->v.v2.locmaxwin;
11146 if (ssh->mainchan->throttling_conn && bufsize <= buflimit) {
11147 ssh->mainchan->throttling_conn = 0;
11148 ssh_throttle_conn(ssh, -1);
11154 * Now process any SSH connection data that was stashed in our
11155 * queue while we were frozen.
11157 ssh_process_queued_incoming_data(ssh);
11160 void ssh_send_port_open(void *channel, char *hostname, int port, char *org)
11162 struct ssh_channel *c = (struct ssh_channel *)channel;
11164 struct Packet *pktout;
11166 logeventf(ssh, "Opening connection to %s:%d for %s", hostname, port, org);
11168 if (ssh->version == 1) {
11169 send_packet(ssh, SSH1_MSG_PORT_OPEN,
11170 PKT_INT, c->localid,
11173 /* PKT_STR, <org:orgport>, */
11176 pktout = ssh2_chanopen_init(c, "direct-tcpip");
11178 char *trimmed_host = host_strduptrim(hostname);
11179 ssh2_pkt_addstring(pktout, trimmed_host);
11180 sfree(trimmed_host);
11182 ssh2_pkt_adduint32(pktout, port);
11184 * We make up values for the originator data; partly it's
11185 * too much hassle to keep track, and partly I'm not
11186 * convinced the server should be told details like that
11187 * about my local network configuration.
11188 * The "originator IP address" is syntactically a numeric
11189 * IP address, and some servers (e.g., Tectia) get upset
11190 * if it doesn't match this syntax.
11192 ssh2_pkt_addstring(pktout, "0.0.0.0");
11193 ssh2_pkt_adduint32(pktout, 0);
11194 ssh2_pkt_send(ssh, pktout);
11198 static int ssh_connected(void *handle)
11200 Ssh ssh = (Ssh) handle;
11201 return ssh->s != NULL;
11204 static int ssh_sendok(void *handle)
11206 Ssh ssh = (Ssh) handle;
11207 return ssh->send_ok;
11210 static int ssh_ldisc(void *handle, int option)
11212 Ssh ssh = (Ssh) handle;
11213 if (option == LD_ECHO)
11214 return ssh->echoing;
11215 if (option == LD_EDIT)
11216 return ssh->editing;
11220 static void ssh_provide_ldisc(void *handle, void *ldisc)
11222 Ssh ssh = (Ssh) handle;
11223 ssh->ldisc = ldisc;
11226 static void ssh_provide_logctx(void *handle, void *logctx)
11228 Ssh ssh = (Ssh) handle;
11229 ssh->logctx = logctx;
11232 static int ssh_return_exitcode(void *handle)
11234 Ssh ssh = (Ssh) handle;
11235 if (ssh->s != NULL)
11238 return (ssh->exitcode >= 0 ? ssh->exitcode : INT_MAX);
11242 * cfg_info for SSH is the currently running version of the
11243 * protocol. (1 for 1; 2 for 2; 0 for not-decided-yet.)
11245 static int ssh_cfg_info(void *handle)
11247 Ssh ssh = (Ssh) handle;
11248 return ssh->version;
11252 * Gross hack: pscp will try to start SFTP but fall back to scp1 if
11253 * that fails. This variable is the means by which scp.c can reach
11254 * into the SSH code and find out which one it got.
11256 extern int ssh_fallback_cmd(void *handle)
11258 Ssh ssh = (Ssh) handle;
11259 return ssh->fallback_cmd;
11262 Backend ssh_backend = {
11272 ssh_return_exitcode,
11276 ssh_provide_logctx,